This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Troubleshooting 403 Permission Denied Error for Service Control API Reporting

Posted on 09-17-2024 09:19 PM
harshada2828
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello Community,

I have a scenario where I am working with two Google Cloud projects:

  • Project A: Contains Service Control API and some private APIs.
  • Project B: Hosts a Cloud Run service with an application that uses Service Control API's Check and Report methods.

Issue Description

I am encountering the following error when trying to report usage from Project B to Project A:

 

{
"error": "<HttpError 403 when requesting https://servicecontrol.googleapis.com/v1/services/compute.googleapis.com:report?alt=json returned \"Permission 'servicemanagement.services.report' denied for the consumer project (or it may not exist)\". Details: \"[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'IAM_PERMISSION_DENIED', 'domain': 'iam.googleapis.com', 'metadata': {'permission': 'servicemanagement.services.report'}}]\">"
}

 

Setup Details

  • Cloud Run Service in Project B calls Project A’s APIs to check VM status and report VM usage to Service Control.
  • Service account used by Cloud Run has the following roles assigned in both projects:
    • Service Controller
    • Service Reporter
    • Editor

Additionally, I have tried authenticating with a service account key from Project A, but I still face the same permission error.
I need help identifying why I am getting the IAM_PERMISSION_DENIED error despite the service account having the necessary roles. Any guidance or troubleshooting steps would be greatly appreciated!

Thank you!

0 1 2,937
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
-Rhett
Staff
Reply posted on --/--/---- --:-- AM

Hello @harshada2828,

Thanks for sharing your setup details, issue description, and steps you’ve tried so far. Although I don’t have visibility on your projects’ exact configuration, here are additional steps I can recommend trying out:

  1. Double-check IAM permissions. Ensure the service account used by Cloud Run in Project B has the servicemanagement.services.report permission explicitly granted in Project A.

  2. Confirm if the Service Management API is enabled. See Getting Started with the Service Management API for more info on how to enable the API for your projects.

  3. Use Policy Troubleshooter to troubleshoot permission access. After you’ve checked the Service Management API is enabled, run the troubleshooter for an evaluation to determine possible causes for the permission issues. Refer to the image below for an example.

troubleshooter-evaluation-details.png

You may also consider using a different authentication method. Since you mentioned your set up uses a Service Account key, there are more secure alternatives available that you may choose from based on your use case. If you prefer to continue using a Service Account key, refer to these Best Practices for more guidance.

Hope this helped!

0 Likes
Top Solution Authors
View all