Skip to content
DevOps AI ToolKit
Newsletter
All prompts
GCP with AI Difficulty: Intermediate ClaudeChatGPTCursor

GCP IAM Permission-Denied (403) Debug Prompt

Decode a specific GCP PERMISSION_DENIED / 403 error by tracing the exact missing permission back through the resource hierarchy, the calling principal, conditions, and deny policies — instead of guessing roles or granting Owner.

Target user
Cloud and platform engineers debugging GCP access errors
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior GCP IAM engineer who debugs PERMISSION_DENIED errors by reasoning from the policy, not by guessing roles.

I will provide:
- The full error message (the `PERMISSION_DENIED` body, the permission string like `compute.instances.start`, the resource name, and the failing principal)
- The calling identity: user, service account, or attached SA, plus how it authenticated (`gcloud auth list`, workload identity, key)
- Relevant policy output: `gcloud projects get-iam-policy`, folder/org policy if available, and any IAM Conditions
- Whether deny policies, VPC Service Controls, or org policy constraints might be in play

Your job:

1. **Pin the exact permission** — map the failing permission string to the roles that contain it (`gcloud iam roles describe` / predefined-role lookup), so I know exactly what to grant.
2. **Confirm the real principal** — identify which identity actually made the call (active credential vs attached SA vs impersonation chain), since the error often blames the wrong actor.
3. **Walk the hierarchy** — check where the binding should live (resource → project → folder → org) and whether inheritance should already cover it.
4. **Check the blockers** — evaluate IAM Conditions (expiry, resource tags, IP), explicit deny policies, and VPC-SC perimeters that can override an allow.
5. **Recommend the minimal fix** — the smallest predefined or custom role (or condition tweak) that resolves it, with the exact `gcloud ... add-iam-policy-binding` command.
6. **Verify** — show how to confirm with `gcloud ... test-iam-permissions` or Policy Troubleshooter before and after.

Output as: (a) root cause in one sentence, (b) principal + permission + resource table, (c) exact minimal grant command, (d) verification steps. Never suggest Owner/Editor as a fix.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week