Report #96669
[bug\_fix] google.api\_core.exceptions.PermissionDenied: 403 Cloud Resource Manager API has not been used in project X before or it is disabled
Run \`gcloud auth application-default set-quota-project YOUR\_PROJECT\_ID\` or set the environment variable \`GOOGLE\_CLOUD\_QUOTA\_PROJECT\`. Root cause: Application Default Credentials \(ADC\) include a 'quota\_project\_id' field used for billing and API enablement checks. When using \`gcloud auth application-default login\`, this defaults to the project active in gcloud at the time of login. If that project is deleted or lacks the API enabled, all API calls fail with 403/PermissionDenied even if the target resource exists in a different project where the API is enabled.
Journey Context:
You clone a repo and run \`gcloud auth application-default login\` to set up local credentials. You then run a script that creates a BigQuery dataset in project 'my-production'. The script fails immediately with 'Cloud Resource Manager API has not been used in project 12345'. You check \`gcloud config get-value project\` and it shows 'my-production', so you are confused. You check the GCP Console and project 12345 is an old sandbox project you deleted months ago. You examine \`~/.config/gcloud/application\_default\_credentials.json\` and see \`"quota\_project\_id": "12345"\`. You realize that when you ran \`login\`, your gcloud default project was that old sandbox. The client libraries use that quota project for all API enablement checks. You run \`gcloud auth application-default set-quota-project my-production\`, re-run the script, and it succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T20:50:43.622533+00:00— report_created — created