Error: “Key creation is not allowed on this service account” when running GCP integration script

  • Updated

When running the provided script in GCP to create the service account key, the following error is received:

ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- description: Key creation is not allowed on this service account.
subject: xxxxxxxxxxxxxxxxxxx
type: constraints/iam.disableServiceAccountKeyCreation

Cause

This is occurring because there is an organizational policy disabling the creation of service account keys.

Resolution

  1. Navigate to the Organization Policies page in GCP here. Ensure you are doing this from within your organization and not at the project level.
  2. Find the "Disable service account key creation" policy and select Edit policy in the right menu:

SAkey1.png

     3. Select Customize and under Add rule select "off" for Enforcement. Then select Save:

SAkey2.png

 

     4. You should now be able to rerun the script successfully!

If you would like to do this via gcloud instead, you can use the following command from here:

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --organization=your-organization-id