docs: troubleshoot 403 gcp auth

Author: iru

README.md

@@ -52,7 +52,7 @@ Your user **must** have following **roles** in your GCP credentials
 * _Organization Admin_ (organizational usage only)
 
 ### Google Cloud CLI Authentication
-To authorize the cloud CLI to be used by Terraform check the following [Google docs.](https://cloud.google.com/sdk/docs/authorizing)
+To authorize the cloud CLI to be used by Terraform check the following [Terraform Google Provider docs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider)
 
 #### Use a Service Account
 
@@ -135,6 +135,20 @@ A: On your Google Cloud account, search for "APIs & Services > Enabled APIs & Se
 $ gcloud services list --enabled
 ```
 
+### Q: Getting  "googleapi: 403 Permission *** denied for resource"
+A: This may happen because permissions are not enough, API services were not correctly enabled, or you're not correctly authenticated for terraform google prolvider.
+<br/>S: Verify [permissions](#prerequisites), [api-services](apis), and that the [Terraform Google Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider) authentication has been correctly setup.
+You can also launch the following terraform manifest to check whether you're authenticated with what you expect
+
+```
+data "google_client_openid_userinfo" "me" {
+}
+
+output "me" {
+  value = data.google_client_openid_userinfo.me.*
+}
+```
+
 ### Q: In organizaitonal setup, Compliance trust-relationship is not being deployed on our projects
 A: If your organizational uses folders we currently don't support that.
 <br/>S: A workaround would be to use the `benchmark_project_ids` parameter so you can define the projects where compliance role is to be deployed explicitly. Let us know if this workaround won't be enough and we will work on implementing a solution.