Symptom
If the "transfer domain" option is chosen while purchasing a G-Suite subscription, the following error appears in the UX1 Customer Control Panel on the Sales Order completion:
Action required error on generate Google subscription with token Forbidden
The below error can be seen in /var/log/httpd/error_log in G-Suite endpoint:
APS-apsgoogle[10489]: DEBUG 10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Data used for transfer the domain domain.com in the batch request Google_Service_Reseller_Subscription Object ( [customerId] => Cxxxx9 [purchaseOrderId] => 1xxxx8 [resourceUiUrl] => [skuId] => 1xxxxxx7 [status] => [subscriptionId] => [plan] => Google_Service_Reseller_SubscriptionPlan Object ... APS-apsgoogle[10489]: ERROR 10489 |C:1160328|S:1396120|googlecoreservice::_getGoogleExceptionError## Error: { "error": { "code": 403, "message": "Forbidden", "errors": [ { "message": "Forbidden", "domain": "global", "reason": "forbidden" } ] } } APS-apsgoogle[10489]: ERROR 10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Error transferring 1010020027. Error message: Forbidden APS-apsgoogle[10489]: ERROR 10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Error on Create Google Subscriptions: Forbidden APS-apsgoogle[10489]: ERROR 10489 |C:1160328|S:1396120|googlecoreservice::_createSubscriptionWithToken## Error on generate Google subscription with Token: Forbidden APS-apsgoogle[10489]: ERROR 10489 |C:1160328|S:1396120|googlecoreservice::_getGoogleExceptionError## Error: Error on generate Google subscription with Token: Forbidden APS-apsgoogle[10489]: ERROR 10489 |C:1160328|S:1396120|googleaccount::postOperationAsync## Error during post Operation tranferDomain: Error on generate Google subscription with Token: Forbidden
Cause
The transfer key specified by the customer is not valid or expired.
Resolution
In order to fix the issue, a correct transfer key must be provided in the domain transfer screen.
- Customer has to generate a new transfer key on Google side and revoke/delete the existing one.
- From UX1 > Google, specify the newly generated token key to complete the provisioning.
- For more details, refer to the APS application guide attached.