Troubleshooting 403 Permission Denied Error for Service Control API Reporting

Google Cloud Serverless Applications
1

Hello Community,

I have a scenario where I am working with two Google Cloud projects:

  • Project A: Contains Service Control API and some private APIs.
  • Project B: Hosts a Cloud Run service with an application that uses Service Control API’s Check and Report methods.

Issue Description

I am encountering the following error when trying to report usage from Project B to Project A:

{
"error": "<HttpError 403 when requesting https://servicecontrol.googleapis.com/v1/services/compute.googleapis.com:report?alt=json returned \"Permission 'servicemanagement.services.report' denied for the consumer project (or it may not exist)\". Details: \"[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'IAM_PERMISSION_DENIED', 'domain': 'iam.googleapis.com', 'metadata': {'permission': 'servicemanagement.services.report'}}]\">"
}

Setup Details

  • Cloud Run Service in Project B calls Project A’s APIs to check VM status and report VM usage to Service Control.
  • Service account used by Cloud Run has the following roles assigned in both projects:
    • Service Controller
    • Service Reporter
    • Editor

Additionally, I have tried authenticating with a service account key from Project A, but I still face the same permission error.
I need help identifying why I am getting the IAM_PERMISSION_DENIED error despite the service account having the necessary roles. Any guidance or troubleshooting steps would be greatly appreciated!

Thank you!

2

Hello @harshada2828 ,

Thanks for sharing your setup details, issue description, and steps you’ve tried so far. Although I don’t have visibility on your projects’ exact configuration, here are additional steps I can recommend trying out:

  1. Double-check IAM permissions. Ensure the service account used by Cloud Run in Project B has the servicemanagement.services.report permission explicitly granted in Project A.

  2. Confirm if the Service Management API is enabled. See Getting Started with the Service Management API for more info on how to enable the API for your projects.

  3. Use Policy Troubleshooter to troubleshoot permission access. After you’ve checked the Service Management API is enabled, run the troubleshooter for an evaluation to determine possible causes for the permission issues. Refer to the image below for an example.

troubleshooter-evaluation-details.png
troubleshooter-evaluation-details.png1013×147 20 KB

You may also consider using a different authentication method. Since you mentioned your set up uses a Service Account key, there are more secure alternatives available that you may choose from based on your use case. If you prefer to continue using a Service Account key, refer to these Best Practices for more guidance.

Hope this helped!