When running the provided script in GCP to create the service account key, the following error is received:
ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- description: Key creation is not allowed on this service account.
subject: xxxxxxxxxxxxxxxxxxx
type: constraints/iam.disableServiceAccountKeyCreation
Cause
This is occurring because there is an organizational policy disabling the creation of service account keys.
Resolution
- Navigate to the Organization Policies page in GCP here. Ensure you are doing this from within your organization and not at the project level.
- Find the "Disable service account key creation" policy and select Edit policy in the right menu:
3. Select Customize and under Add rule select "off" for Enforcement. Then select Save:
4. You should now be able to rerun the script successfully!
If you would like to do this via gcloud instead, you can use the following command from here:
gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --organization=your-organization-id