Skip to main content
  1. CloudM
  2. Migrate
  3. Errors & Troubleshooting
  4. Troubleshooting

Troubleshooting GCP: Service Account Key Creation Disabled

Updated

This article addresses the error "Service account key creation is disabled" with the reason iamdisableServiceAccountKeyCreation is enforced. This issue typically occurs in new Google Workspace or Google Cloud Platform (GCP) environments and prevents the creation of service accounts and keys needed for CloudM Migrate.

Symptom

You may be blocked from creating the required service accounts and keys for CloudM Migrate, with the following error messages:

  • "Error: Service account key creation is disabled"
  • "Reason: iamdisableServiceAccountKeyCreation is enforced"

This can also be accompanied by the symptom of your domain organization not being visible under Select a resource when creating a project.

Prerequisites: Wait for Domain Propagation

When working with a brand new Google Workspace or GCP environment, it can take time for your domain to fully propagate. This is a common occurrence in new tenants and usually resolves itself within a couple of hours. Before you begin the resolution steps, ensure your organization is visible in the GCP console.

  • Wait Time: Domain propagation can take a few hours.
  • Check: Verify that your domain organization is visible under Select a resource at the top of the GCP console.
    GCP Project.png
  • Action: If it is not visible, try refreshing the page or logging out and back in to force the update. Do not proceed until you can see your organization.

Cause

The iamdisableServiceAccountKeyCreation policy is an organization-level constraint that that restricts who can create service account keys. This policy is often enabled by default in new Google Cloud Platform tenants to enhance security. To perform a migration, your super admin account must have the necessary permissions to modify this policy and create the required keys.

Resolution: How to Resolve This Issue Faster

To resolve this issue faster, you must grant your super admin account the necessary permissions in GCP to modify the organization policy that prevents key creation.

Step 1: Enable IAM API

  • Navigate to console.cloud.google.com.
  • In the search bar at the top, type IAM API and press enter.
  • If the API is not enabled, click the Enable button. This is a crucial step to ensure the necessary services are active.

Step 2: Grant Project-Level Permissions

  1. In the Select a resource drop-down menu at the top left, select your Doman Name.
  2. Go to IAM & Admin > IAM.

  3. Edit your super admin account and add the Organization Policy Administrator and Organization Administrator roles.
    GCP IAM.png
     

    Note: The Organization Policy Administrator role can only be applied at the domain level, while the Organization Administrator role may be applied at either the domain or project level.

  4. Save the changes.

Step 3: Modify the Organization Policy

  1. After granting the permissions in the previous step, go to IAM & Admin > Organization Policies.
  2. Search for the policy: Disable service account key creation.
  3. Click Modify policy.
  4. Change the rule to Google Managed.
    GCP Key Policy.png

Important Considerations

  • Propagation Delays: As mentioned, it can take time for permissions, APIs, and policy changes to propagate across GCP. If the changes don't take effect immediately, try refreshing the page or logging out and logging back in.
  • Legacy Policies: Always check for and address any conflicting legacy policies that might be overwriting the policy you are trying to disable. For more information see Google's documentation here.
    • Example: If the Organization Administrator role is not available at the domain level, apply it at the project level instead.
Was this article helpful?
0 out of 0 found this helpful