Symptom

If the "transfer domain" option is chosen while purchasing a G-Suite subscription, the following error appears in the UX1 Customer Control Panel on the Sales Order completion:

Action required error on generate Google subscription with token Forbidden 


The below error can be seen in /var/log/httpd/error_log in G-Suite endpoint:

APS-apsgoogle[10489]:  DEBUG  10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Data used for transfer the domain domain.com in the batch request Google_Service_Reseller_Subscription Object
(
    [customerId] => Cxxxx9
    [purchaseOrderId] => 1xxxx8
    [resourceUiUrl] =>
    [skuId] => 1xxxxxx7
    [status] =>
    [subscriptionId] =>
    [plan] => Google_Service_Reseller_SubscriptionPlan Object
...
APS-apsgoogle[10489]:  ERROR  10489 |C:1160328|S:1396120|googlecoreservice::_getGoogleExceptionError## Error:  {
  "error": {
    "code": 403,
    "message": "Forbidden",
    "errors": [
      {
        "message": "Forbidden",
        "domain": "global",
        "reason": "forbidden"
      }
    ]
  }
}
APS-apsgoogle[10489]:  ERROR  10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Error transferring 1010020027. Error message: Forbidden
APS-apsgoogle[10489]:  ERROR  10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Error on Create Google Subscriptions: Forbidden
APS-apsgoogle[10489]:  ERROR  10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Error on generate Google  subscription with Token: Forbidden
APS-apsgoogle[10489]:  ERROR  10489 |C:1160328|S:1396120|googlecoreservice::_getGoogleExceptionError## Error:  Error on generate Google  subscription with Token: Forbidden
APS-apsgoogle[10489]:  ERROR  10489 |C:1160328|S:1396120|googleaccount::postOperationAsync## Error during post Operation tranferDomain: Error on generate Google  subscription with Token: Forbidden

Cause

The transfer key specified by the customer is not valid or expired.


Resolution

In order to fix the issue, a correct transfer key must be provided in the domain transfer screen.

  1. Customer has to generate a new transfer key on Google side and revoke/delete the existing one.
  2. From UX1 > Google, specify the newly generated token key to complete the provisioning.
  3. For more details, refer to the APS application guide attached.