# Error: Error creating resource: google_project_service: googleapi: Error 403: Cloud Resource Manager API has not been used in project 'my-project' before or it is disabled.

- **ID:** `policy/gcp-resource-manager-api-not-enabled`
- **Domain:** policy
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

The Google Cloud project does not have the Cloud Resource Manager API enabled, which is required to manage project-level resources like IAM policies and service accounts via Terraform or gcloud.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Google Cloud SDK 400+ | active | — | — |
| Terraform Google Provider 4.0+ | active | — | — |

## Workarounds

1. **Enable the Cloud Resource Manager API via gcloud: gcloud services enable cloudresourcemanager.googleapis.com --project=my-project** (95% success)
   ```
   Enable the Cloud Resource Manager API via gcloud: gcloud services enable cloudresourcemanager.googleapis.com --project=my-project
   ```
2. **Enable the API via the Google Cloud Console: go to APIs & Services > Library, search for 'Cloud Resource Manager API', and click Enable.** (90% success)
   ```
   Enable the API via the Google Cloud Console: go to APIs & Services > Library, search for 'Cloud Resource Manager API', and click Enable.
   ```
3. **In Terraform, add a google_project_service resource to enable the API before creating other resources: resource "google_project_service" "crm" { project = "my-project" service = "cloudresourcemanager.googleapis.com" }** (95% success)
   ```
   In Terraform, add a google_project_service resource to enable the API before creating other resources: resource "google_project_service" "crm" { project = "my-project" service = "cloudresourcemanager.googleapis.com" }
   ```

## Dead Ends

- **Re-authenticate with gcloud auth login to refresh credentials** — The error is not about authentication but about the API not being enabled; re-login does not enable APIs. (95% fail)
- **Use a different service account or user account to run the command** — The API disablement is project-wide; all accounts in the project face the same issue until the API is enabled. (90% fail)
- **Set the project ID in gcloud config and retry without enabling the API** — The API must be explicitly enabled; setting the project ID only changes the target project but does not enable the API. (85% fail)