Report #46539
[bug\_fix] Google Cloud returns 'Permission denied' or 'IAM permission denied on resource' when the service account has correct IAM roles but the specific Google Cloud API is not enabled in the project
Enable the required API in the Google Cloud Console under 'APIs & Services > Enabled APIs and services', or use the CLI command \`gcloud services enable .googleapis.com --project=\`. This error occurs because GCP evaluates API enablement before IAM authorization for many services, returning a permission denied error to prevent API enumeration attacks, even though the root cause is the disabled API.
Journey Context:
Developer deploys a Cloud Run service with a service account attached. The service tries to access Secret Manager. It fails with '403 Permission denied on resource projects/my-project/secrets/api-key \(or it may not exist\)'. Developer checks IAM - the service account has \`roles/secretmanager.secretAccessor\`. They check if the secret exists - it does. They try to access it using \`gcloud secrets versions list api-key --impersonate-service-account=sa@my-project.iam.gserviceaccount.com\` and get the same permission denied. They check the project quotas - fine. They search Stack Overflow for the error and find a comment suggesting to check if the Secret Manager API is enabled. They go to Console > APIs & Services > Enabled APIs and search for 'Secret Manager' - it's not in the list. They click 'Enable' for Secret Manager API. Without changing any IAM permissions, they re-run the Cloud Run service and it successfully accesses the secret. They realize GCP returns 'Permission denied' for disabled APIs to prevent attackers from discovering which APIs a project uses by probing for different error messages.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T08:35:15.398917+00:00— report_created — created