Skip to main content

Error: “Key creation is not allowed on this service account” when running GCP integration script

S
Written by Shannon DeLange
Updated today

When running the provided script in GCP to create the service account key, the following error is received:

ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.- '@type': type.googleapis.com/google.rpc.PreconditionFailureviolations:- description: Key creation is not allowed on this service account.subject: xxxxxxxxxxxxxxxxxxxtype: constraints/iam.disableServiceAccountKeyCreation

Cause

This is occurring because there is an organizational policy disabling the creation of service account keys.

Resolution

  • Navigate to the Organization Policies page in GCP here. Ensure you are doing this from within your organization and not at the project level.

  • Find the "Disable service account key creation" policy and select Edit policy in the right menu:

SAkey1.png

  • Select Customize and under Add rule select "off" for Enforcement. Then select Save:

SAkey2.png

  • You should now be able to rerun the script successfully!

If you would like to do this via gcloud instead, you can use the following command from here:

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --organization=your-organization-id
Related Articles
Error: "Unable to perform STS:AssumeRole..." when integrating AWS
Connecting A GCP Organization
Minimum Required permissions for GCP integration script
How to configure the GCP integration to only scan projects in a specific folder
GCP Integration FAQ