This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Subject: Unable to Create Service Account Keys Due to Enforced Policy: constraints/iam.disableServic

Posted on 01-01-2025 06:05 PM
tlentine
New Member
Reply posted on --/--/---- --:-- AM

Hello Community,

I’m facing a major roadblock with my Google Cloud project and need urgent assistance. Here’s a summary of my issue:

The Problem:

  1. Service Account in Question:

    • Email: tlentine-upahead-online@[project].iam.gserviceaccount.com

  2. Issue:

    • I am unable to create a key for this service account (or any other service account in my project) due to an enforced organization-level policy:
      constraints/iam.disableServiceAccountKeyCreation.

    • When attempting to create a key, I receive this error:

      ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - description: Key creation is not allowed on this service account.
    subject: projects/[project]/serviceAccounts/tlentine-upahead-online@[project].iam.gserviceaccount.com
    type: constraints/iam.disableServiceAccountKeyCreation

Steps I’ve Taken:

  1. Policy Checks:

    • Used gcloud org-policies describe to confirm that constraints/iam.disableServiceAccountKeyCreation is enforced at the organization level.
    • Attempted to disable or reset the policy, but lack the orgpolicy.policies.update permission.

  2. Service Account Key List:

    • Verified that a key exists for the service account, valid until 2025-01-14.
    • However, I cannot locate the .json file associated with the key.

  3. Support Limitations:

    • I attempted to upgrade my support plan but found I am not eligible to purchase Standard or Enhanced Support.

Questions:

  1. How can I create a new key or recover the existing one under this enforced policy?
  2. Is there a workaround or alternative authentication method (e.g., Workload Identity Federation) that I can use without violating the policy?
  3. Has anyone encountered and resolved a similar issue with a locked-down organization policy?

Context:

  • I am the owner of the project but lack permissions to modify organization-level policies.
  • My current support plan is Basic Support (billing-only), limiting my options to escalate this issue.

Any help, insights, or pointers would be greatly appreciated! This issue is significantly delaying my project. 

Thank you in advance!
Thomas Lentine
Owner, UpAhead LLC

0 2 415
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
jamespatrickm
Staff
Reply posted on --/--/---- --:-- AM

Hi @tlentine,

Welcome to Google Cloud Community!

Are you able to edit your IAM user role with “Organization Policy Administrator” and “Organization Administrator” at the organization-level? If you are able to add these roles, this should enable you to modify disableServiceAccountKeyCreation in the “Organization Policies” section.

See the following questions that were asked in Google Cloud Community and Stackoverflow a while ago for reference:

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes

Posted on --/--/---- --:-- AM
MBIP
New Member
In response to jamespatrickm
Reply posted on --/--/---- --:-- AM

Thank you for this answer. I was able to modify my Org Policies after I made the changes at the org-level instead of trying to do it in the project itself. 

Top Labels in this Space
Top Solution Authors
View all