Subject: Unable to Create Service Account Keys Due to Enforced Policy: constraints/iam.disableServic

Google Cloud Compute Infrastructure
, ,
1

Hello Community,

I’m facing a major roadblock with my Google Cloud project and need urgent assistance. Here’s a summary of my issue:

The Problem:

  1. Service Account in Question:

    • Email: tlentine-upahead-online@[project].iam.gserviceaccount.com

  2. Issue:

    • I am unable to create a key for this service account (or any other service account in my project) due to an enforced organization-level policy:
      constraints/iam.disableServiceAccountKeyCreation.

    • When attempting to create a key, I receive this error:

      ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - description: Key creation is not allowed on this service account.
    subject: projects/[project]/serviceAccounts/tlentine-upahead-online@[project].iam.gserviceaccount.com
    type: constraints/iam.disableServiceAccountKeyCreation

Steps I’ve Taken:

  1. Policy Checks:

    • Used gcloud org-policies describe to confirm that constraints/iam.disableServiceAccountKeyCreation is enforced at the organization level.
    • Attempted to disable or reset the policy, but lack the orgpolicy.policies.update permission.

  2. Service Account Key List:

    • Verified that a key exists for the service account, valid until 2025-01-14.
    • However, I cannot locate the .json file associated with the key.

  3. Support Limitations:

    • I attempted to upgrade my support plan but found I am not eligible to purchase Standard or Enhanced Support.

Questions:

  1. How can I create a new key or recover the existing one under this enforced policy?
  2. Is there a workaround or alternative authentication method (e.g., Workload Identity Federation) that I can use without violating the policy?
  3. Has anyone encountered and resolved a similar issue with a locked-down organization policy?

Context:

  • I am the owner of the project but lack permissions to modify organization-level policies.
  • My current support plan is Basic Support (billing-only), limiting my options to escalate this issue.

Any help, insights, or pointers would be greatly appreciated! This issue is significantly delaying my project.

Thank you in advance!
Thomas Lentine
Owner, UpAhead LLC

2

Hi @tlentine ,

Welcome to Google Cloud Community!

Are you able to edit your IAM user role with “Organization Policy Administrator” and “Organization Administrator” at the organization-level? If you are able to add these roles, this should enable you to modify disableServiceAccountKeyCreation in the “Organization Policies” section.

See the following questions that were asked in Google Cloud Community and Stackoverflow a while ago for reference:

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

3

Thank you for this answer. I was able to modify my Org Policies after I made the changes at the org-level instead of trying to do it in the project itself.

1 Like