How to allow service account key creation in Google Cloud Platform.
Error: Key creation is not allowed on this service account
You may encounter the error Key creation is not allowed on this service account
when running CubeBackup Service Account Generator or manually creating a service account key in Google Cloud Platform. This error is related to an organization policy constraint iam.disableServiceAccountKeyCreation
enforced in your organization.
To resolve this, you can choose to create the CubeBackup service account using a personal Gmail account, or follow the instructions below to get an exception and disable this constraint for your CubeBackup project.
Allow service account key creation for the CubeBackup project
Assign Organization Policy Administrator role
To set an organization policy, you must have the Organization Policy Administrator role.
- Sign in to the Google Cloud Console .
- From the project picker, select the main organization.
- Navigate to the IAM & Admin > IAM page from the left panel.
- Click the + GRANT ACCESS button. A Grant access to yourdomain.com dialog will slide out from the right.
- Enter your email address in the Add principles > New principles textbox.
- In the Assigned roles > Select a role field, search for the Organization Policy Administrator and select it as the assigned role.
- Click SAVE.
Manage organization policy for the CubeBackup project
- From the project picker, select the "CubeBackup project".
- Navigate to the IAM & Admin > Organization policies page from the left panel.
- Enter Disable service account key creation in the Filter field to search for the organization policy, select the corresponding constraint from the result list.
- On the Policy details page, click MANAGE POLICY.
- On the Edit policy page, select Override parent's policy.
- Select ADD A RULE and set Enforcement to off.
- Click SET POLICY.
Now, return to the CubeBackup Service Account Generator and retry downloading a service account key. The change may need some time to propagate. If it continues to fail, please reach out to us at [email protected].