ERROR

Troubleshooting GCP IAM: PERMISSION_DENIED Alerts for VPC Firewall Rule Creation

Quick Fix Summary

TL;DR

Grant the `compute.securityAdmin` or `compute.networkAdmin` IAM role to the principal attempting the operation.

This error indicates the service account, user, or group lacks the necessary IAM permissions to create or modify VPC firewall rules in the specified project or network.

Diagnosis & Causes

  • Insufficient IAM role assignments on the project or network.
  • Hierarchical IAM policies overriding project-level permissions.
  • Use of a service account without the `compute.securityAdmin` role.

    • Recovery Steps

    1

    Step 1: Diagnose the Principal and Missing Permission

    Use Cloud Logging to identify the exact principal (user or service account) and the specific permission that was denied.

    bash 
    gcloud logging read "protoPayload.status.code=7 AND protoPayload.methodName=*.firewalls.*" --project=PROJECT_ID --limit=5 --format="json(protoPayload.authenticationInfo.principalEmail, protoPayload.authorizationInfo.permission)"
    2

    Step 2: Verify Current IAM Bindings

    Check the IAM policy for the project to see what roles are assigned to the failing principal.

    bash 
    gcloud projects get-iam-policy PROJECT_ID --flatten="bindings[].members" --format="table(bindings.role, bindings.members)" --filter="bindings.members:PRINCIPAL_EMAIL"
    3

    Step 3: Check for Organization/Folder Policy Restrictions

    A deny policy at a parent node (Organization or Folder) can override project-level grants.

    bash 
    gcloud asset analyze-iam-policy --project=PROJECT_ID --identity=PRINCIPAL_EMAIL --full-resource-name=//cloudresourcemanager.googleapis.com/projects/PROJECT_ID
    4

    Step 4: Grant the Required IAM Role

    Grant the principal the `compute.securityAdmin` role at the project level. For broader network control, use `compute.networkAdmin`.

    bash 
    gcloud projects add-iam-policy-binding PROJECT_ID --member=PRINCIPAL_EMAIL --role=roles/compute.securityAdmin
    5

    Step 5: Validate Permission Post-Grant

    Use the IAM policy tester to confirm the principal now has the required permission for the firewall resource.

    bash 
    gcloud policy-troubleshoot iam //cloudresourcemanager.googleapis.com/projects/PROJECT_ID --principal-email=PRINCIPAL_EMAIL --permission=compute.firewalls.create
    6

    Step 6: Test Firewall Rule Creation

    Attempt to create a simple firewall rule to verify the fix.

    bash 
    gcloud compute firewall-rules create test-rule --project=PROJECT_ID --network=default --allow=tcp:80 --description="Test rule" --quiet

    Architect's Pro Tip

    "This often happens when a service account used by a CI/CD pipeline (e.g., Cloud Build) or Terraform only has broad roles like `editor` but lacks the specific `compute.securityAdmin` role required for firewall management. Always audit the precise permissions needed by your automation tools."

    Frequently Asked Questions

    I granted `compute.admin` but still get PERMISSION_DENIED. Why?

    `compute.admin` does NOT include firewall rule permissions. You must explicitly grant `compute.securityAdmin` or `compute.networkAdmin`.

    How long does it take for IAM permission changes to propagate?

    Propagation is usually immediate but can take up to 7 minutes. Cache issues are rare. If the error persists, re-run the diagnostic steps after 2-3 minutes.

    Related GCP Guides

    Cloud-Run-429

    How to Fix GCP Cloud-Run-429

    Read Solution
    Container Startup Timeout

    How to Fix GCP Container Startup Timeout

    Read Solution
    CloudSQLInstanceDiskFull

    GCP Cloud SQL Instance Disk Full: Troubleshooting Guide

    Read Solution