SGC GCP Test Connection Returns Error - Support and Troubleshooting

SGC GCP Test Connection Returns Error Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } While testing the connection for SG-GCP, an error message appears: 'Method failed: (/v3/organizations/595994669073) with code: 403 - Forbidden username/password combo'. The error suggests unauthorized access, but credentials have been verified with the GCP team and confirmed to have required permissions.

STEPS TO REPRODUCE: 1. Navigate to Service Graph Connectors > GCP > Connections

2. Open the Connection record you have configured.

3. Click on 'Test Connection' Related Link.

4. Notice the error:

Error: Method failed: (/v3/organizations/ ) with code: 403 - Forbidden username/password combo

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Test Connection (or Guided Setup “Create & Test Connection”) for Service Graph Connector for GCP (sn_gcp_integ) fails with HTTP 403 when calling Google Cloud Resource Manager. ServiceNow may display a generic message such as: “Method failed: (/v3/organizations/) with code: 403 – Forbidden username/password combo” or “Unauthorized access. Make sure the credentials are correct” In System Logs → Outbound HTTP Requests ( sys_outbound_http_log ), the failing request is typically: GET https://cloudresourcemanager.googleapis.com/v3/organizations/ with response_status=403 The response body from Google shows a detailed error indicating the API is disabled. Facts .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } OAuth/JWT token generation can still succeed (e.g., token endpoint returns 200), but the subsequent API call to Cloud Resource Manager returns 403. The response body from Google contains structured error details, often including: status: "PERMISSION_DENIED" reason: "SERVICE_DISABLED" service: "cloudresourcemanager.googleapis.com" consumer: "projects/ " An activationUrl pointing to the API enablement page Example (sanitized) response body pattern: "Cloud Resource Manager API has not been used in project before or it is disabled. Enable it by visiting then retry..." "reason": "SERVICE_DISABLED" Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All Versions

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The Cloud Resource Manager API ( cloudresourcemanager.googleapis.com ) is not enabled (or has never been enabled) in the consumer project referenced in the error ( projects/ ).

Even if authentication is working (token is issued), Google will deny Cloud Resource Manager calls when the API is disabled for the consuming project, resulting in 403 PERMISSION_DENIED with SERVICE_DISABLED.

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1) Enable the Cloud Resource Manager API in the consumer project.

Use the activationUrl provided in the error response body (recommended because it is guaranteed to target the correct project).

Console method (recommended):

Open the URL from the response body: https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project= Confirm the project selected is (or the matching project name in the header). Click Enable. Wait 5–10 minutes for enablement to propagate. Re-run Test Connection in ServiceNow. 2) Re-test and validate outcome After enabling the API and waiting for propagation:

Re-run the connector Test Connection. Confirm the outbound call to /v3/organizations/ now returns 200 (success). 3) If you still get 403 after enabling the API (next most common scenario) Once the API is enabled, a different 403 may appear such as:

Permission 'resourcemanager.organizations.get' denied... That indicates the API is enabled, but the service account lacks required IAM permissions to read the Organization. In that case, grant the appropriate org-level role(s) to the service account (e.g., Organization Viewer or an equivalent least-privileged role required by your discovery scope).

4) Logging/verification notes (ServiceNow) Ensure outbound logging is sufficient to capture the response body: Log Level All is required to include Response body (Basic/Elevated may not show it). If you see **body truncated** , ServiceNow may be hitting the maximum logging size. You can increase: glide.outbound_http.content.max_limit (maximum value is typically capped at 1000 characters in many releases). Be cautious: “All” level outbound logging may capture sensitive headers in logs; use only temporarily for troubleshooting.