Report #14897
[bug\_fix] GCP 'Cloud Resource Manager API has not been used in project 12345 before or it is disabled' when using Application Default Credentials
Explicitly set the quota/billing project using \`gcloud auth application-default set-quota-project PROJECT\_ID\` or the \`GOOGLE\_CLOUD\_QUOTA\_PROJECT\` environment variable. Application Default Credentials \(ADC\) carry the user identity, but API requests must be billed to a specific project; if the inferred project \(from gcloud config or metadata\) differs from the target resource's project, GCP rejects the request assuming the wrong project context.
Journey Context:
A data scientist writes a Python script using \`google-cloud-storage\` to download files from a GCS bucket in their team's project 'team-data-prod'. They authenticate locally using \`gcloud auth application-default login\` \(ADC\). When running the script, it fails immediately with '403: Cloud Resource Manager API has not been used in project before or it is disabled.' The developer checks IAM and sees they have 'Storage Object Viewer' on the target bucket. They enable Cloud Resource Manager API on their personal project, but then get 'Permission denied: 403 - The caller does not have permission' on the actual bucket. After debugging with \`google-auth\` logging, they realize the client is sending quota project metadata derived from their gcloud core.project setting \(their personal sandbox\) rather than the target project. Setting \`GOOGLE\_CLOUD\_QUOTA\_PROJECT=team-data-prod\` resolves the mismatch, and the request correctly bills against the team project where they have permissions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T22:43:23.165306+00:00— report_created — created