203002 - GCP Authorization Failed

Agent error code #203002 indicates that the agent authenticated successfully with GCP, but the service account lacks the permissions required to perform the requested operation. The API returned HTTP 403 (Forbidden).

This error is distinct from authentication failures (#203001), which occur when the credentials are not accepted at all. Error #203002 means the credentials are valid but the service account's IAM roles are insufficient.

Common causes include:

• The service account is missing the required IAM role (e.g., roles/compute.securityAdmin or a custom role)
• The IAM role was recently removed or modified
• The service account has permissions in a different project than the one configured in Knocknoc
• An organization policy is restricting the service account's access

Steps to Resolve

Verify IAM Permissions

1. In the GCP Console, navigate to IAM & Admin > IAM
2. Find the service account used by the Knocknoc agent
3. Verify it has the required role for the configured mode:
   • VPC Firewall mode: compute.firewalls.get and compute.firewalls.update
   • Cloud Armor mode: compute.securityPolicies.get and compute.securityPolicies.update
4. The simplest predefined role is roles/compute.securityAdmin, or create a custom role with only the required permissions

Verify the Correct Project

1. Confirm the GCP Project ID configured in Knocknoc matches the project where the firewall rule or security policy exists
2. The service account must have permissions in that specific project

Check Organization Policies

1. If the project is part of a GCP organization, check for organization-level policies that may restrict API access
2. Contact your GCP organization administrator if restrictions are in place

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.