This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

cannot create Service account key

Posted 4 weeks ago
vitalys
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I changed the iam.disableServiceAccountKeyCreation policy to "not enforced" at the org and at the project levels, but I still cannot create service account keys. Please advise. Thanks

vitalys_0-1747255001756.png

vitalys_1-1747255186606.png

vitalys_2-1747255256245.png

 

 

Solved Solved
0 5 283
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
vitalys
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

JFYI, this helped:
- https://youtu.be/ABIiOM9X5kM?si=AQBVVE4R0pvYWlGA
- and prompting Gemini 2.5 Pro with: "Provide me with precise (and verified) step-by-step instructions on how to create a service account key under my Google Workspace admin account. I need it to be able to upload documents to Google Drive from a Python program."

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
kensan
Staff
Reply posted on --/--/---- --:-- AM

Hi @vitalys,

Welcome to Google Cloud Community

Even if you've set iam.disableServiceAccountKeyCreation to "not enforced" at the Organization and Project levels, key creation can still be blocked.

Here are the possible reasons you can check:

  • Inheritance and Folders: Organization Policies are inherited. If this policy is enforced at a Folder level that sits between your Organization and your Project, the Folder's enforcement will take precedence over the Project's "not enforced" setting. You can check this document to understand how to manage the organization policies.
  • IAM Permissions: Even if the Organization Policy allows key creation, the user or service account attempting to create the key needs the necessary IAM permission. Make sure you have a role service account key admin (roles/iam.serviceAccountKeyAdmin) to be able to create a service account key.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
vitalys
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thank you. I will look into it further and respond it this helps. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
vitalys
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi added serviceAccountKeyAdmin jic. I don't understand where folders come into play. As you can see in the provided screenshots, I am trying to create service account key for the the default service account in a very new admin account. Which menu/action sequence do I need to follow before I can create this key? Please advise.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
quincho
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm also experiencing this same problem and haven't found a solution to this. I also found this in the web:
"Since May 3, 2024, key creation for service accounts is disabled by default.
More information:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts?auth...
"

Any way to get around this?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
vitalys
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

JFYI, this helped:
- https://youtu.be/ABIiOM9X5kM?si=AQBVVE4R0pvYWlGA
- and prompting Gemini 2.5 Pro with: "Provide me with precise (and verified) step-by-step instructions on how to create a service account key under my Google Workspace admin account. I need it to be able to upload documents to Google Drive from a Python program."

Jump to Solution
0 Likes
Top Solution Authors
View all