Re: cannot create Service account key

vitalys

I changed the iam.disableServiceAccountKeyCreation policy to "not enforced" at the org and at the project levels, but I still cannot create service account keys. Please advise. Thanks

kensan

Hi @vitalys,

Welcome to Google Cloud Community

Even if you've set iam.disableServiceAccountKeyCreation to "not enforced" at the Organization and Project levels, key creation can still be blocked.

Here are the possible reasons you can check:

Inheritance and Folders: Organization Policies are inherited. If this policy is enforced at a Folder level that sits between your Organization and your Project, the Folder's enforcement will take precedence over the Project's "not enforced" setting. You can check this document to understand how to manage the organization policies.
IAM Permissions: Even if the Organization Policy allows key creation, the user or service account attempting to create the key needs the necessary IAM permission. Make sure you have a role service account key admin (roles/iam.serviceAccountKeyAdmin) to be able to create a service account key.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

vitalys

Thank you. I will look into it further and respond it this helps.

vitalys

Hi added serviceAccountKeyAdmin jic. I don't understand where folders come into play. As you can see in the provided screenshots, I am trying to create service account key for the the default service account in a very new admin account. Which menu/action sequence do I need to follow before I can create this key? Please advise.