Hi Damian - As you can see from my original post - My knowledge about the Dev console is next to nothing.  I believe that there are now three of us seeing the same issue, and suspect this is due to a change introduced by Google, I'm guessing about a month ago.  This is not something that has been turned on by any member of our companies.  If you have any in depth knowledge of the dev console can you give some guidance on how this organisation policy can be updated.

Well,

As I said at first response, use WIF instead of service keys. It's more secured and better way to use Service Accounts 🙂 

But if you want to change Org Policy:

Login as Org Admin -> IAM -> Organization policies -> Search for "Disable service account key creation".  Click on it -> MANAGE POLICY -> Edit policy as you want -> SET POLICY

cheers,
DamianS

Thanks so much for that - I understand what you are saying regards WIF, however I need to use a service Key, ass this is what the other systems requires.
The problem I have is that I need to assign Org Admin rights to myself to make this change.  I will give that a go.  I managed to assign the owner role at the organisation level - this allowed me to try to edit - but got an error when trying to save,

Lovely 🙂 What error did you received ? 

Also remember, that to be able to deal with Org Policies, you must have roles/orgpolicy.policyAdmin assigned at ORG Level into your principal.
More info here: 
https://cloud.google.com/resource-manager/docs/organization-policy/using-constraints

cheers,
DamianS

Owner might be not sufficient as you need 

"orgpolicy.policies.update , orgpolicy.policy.get ,orgpolicy.policy.set " to be able to edit Org Policies.  

cheers,

DamianS

I think that’s me.  I own the company and set up Google services.

All I’m trying to do is migrate our email from Google to Exchange and this seems way too difficult.

Basheer Alismail
Founder, Monument Health Advisors
<PII removed by staff>
www.monumenthealthadvisors.com
<PII removed by staff>

Hi Zorik16,

I am the org admin with super admin rights and I am still unable to modify the permission iam.disableServiceAccountKeyCreation.

I am not that strong in Google workspace but I thought super admin would be the same as an orgadmin that would be able to modify this.

Jake

Hi @Jacobees ,

---

@Jacobees wrote:

I am not that strong in Google workspace but I thought super admin would be the same as an orgadmin that would be able to modify this.

---

Nope. SuperAdmin is an admin for Google Workspace, so he is able to do anything around Google Workspace. However, Org Admin is a different story and this entity is able to deal only around Google Cloud. In fact, if you are login as SuperAdmin to Google Cloud, you are not automatically became Org Admin. You will get following basic permissions by default , and only via predefined roles you will be able to get more permissions ( yes, if you are login as SuperAdmin, you are able to grant IAM permissions for your own principal at organization level, however as I said, by default you don't more power than showed on this screenshot.)

cheers,
DamianS

Hi DamianS,

I am unable to find instructions on how to grant my Super user account Org Admin Permissions to Google cloud so that I have the ability to edit the iam.disableServiceAccountKeyCreation constraint, allowing me to create a JSON key for my migration project.

Would you be able to point me in the right direction, Google documentation, or a Third party how to article?

Cheers

Jake.

Hello @Jacobees ,

1. Pick your user. I've created user named "test test" for this demo. 
2. Add your newly created user to Super Admin role OR be sure that you user is in that group. Log in to admin.google.com -> Account-> Admin roles -> Super Admin

3. Go to https://console.cloud.google.com and log in with your SUperUser from step1.
4. From left top right corner pick project list and search for your organization

5. Search for IAM -> Grant Access -> Add your SuperUser in "New principals" field. Select either Organization Admin or Organization Policy Administrator to be able to deal with org policies.

6. Click "SAVE"
7. You can verify your changes. Once saved, wait few minutes to be sure that IAM have been properly propagated. 

Add1. You can verify your permissions by using Policy Analyzer -> What access does my employee ( or terminated employee ) have -> Create query -> Put email name for your SuperUser in "Principal" field -> Continue -> Check boxes (

Hi Damian S,

Thank you for the  effort you went to providing me with this information. I was able to successfully follow these steps and create the key.

My issue was I had added the Organization Administrator role but did not have the Organization Policy Administrator added.

Cheers,

Jake.

Hello @Jacobees , 
Great to hear that . 

Damian, Thanks so very much for this answer. I am brand new to Google Workspace for nonprofits, and volunteer at that. I had the same problem as Jacobees, and am so glad for your answer. I now have a backup task working.

Happy to help 🙂 ☮️

Your instructions saved me. Thanks, kind soul! 

The only issue was that when I set the Org Admin role, I completely lost all permissions. The Owner role saved the day.

I have a very simple task — to get an OAuth token to send emails on behalf of the organization. It seemed like a trivial task, but Google has made it so complicated...

The policy is enabled in the project when I go to Roles. However, it is not available in the Select Role drop down box. 

Hi MarkJP,

Can Confirm the same steps also worked for me. Glad you got this across the line as well.

Jake.

Champion effort! After trying to work this out for hours, your post got it going in 10 mins. Cheers.

@riyoutku ,
This policy can be assigned ONLY at organization level. You are showing project level on the screenshot, and this is why you are not able to see mentioned policy

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

Hello @cristiane  ,Welcome on Google Cloud Community.

Yes, this solution still works. Additionally look at this medium.com article, which tries explain deeper this case: https://medium.com/google-cloud/troubleshooting-101-solving-the-service-account-key-creation-is-disa...

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

I'm running into this issue, where I follow the instructions above (and in other forums), but the problem persists. I keep getting a message that the policy constraint is enforced even though I changed the policy to "Not Enforced" at the organization level.

Please let me know if you were able to find a solution.

THIS FIXED THE ISSUE FOR ME TWO. both need to be turned off. terrible ux

After dealing with the whole SuperAdmin and Organization Policy Admin bullshit (even if I am the owner and just registered the Workspace account), I had the same problem.

There are two of these "Disable service account key creation policies" and one named "legacy" was active! Unbelievably bad and retarded design by Google.

I still couldn't create a service account key from the firebase console, but I could from https://console.cloud.google.com/iam-admin/serviceaccounts/