Fixing Service Account Key Creation Constraint in Google Cloud Console
Published:
🔐 Fixing Service Account Key Creation Constraint in Google Cloud Console
When working with Google Cloud, you might encounter this frustrating error while trying to create a service account key:
The organization policy constraint ‘iam.disableServiceAccountKeyCreation’ is enforced. This constraint disables the creation of new service account keys
This constraint is typically enforced at the organization level as a security measure, but it can block legitimate use cases. In this guide, I’ll walk you through the solution to bypass this policy without using the CLI.
🤔 Why Does This Happen?
Organizations enforce the iam.disableServiceAccountKeyCreation policy to:
- Prevent unauthorized key creation
- Reduce credential sprawl
- Enforce security best practices
However, legitimate administrators or service accounts sometimes need to create keys. The solution requires appropriate IAM roles.
✅ Solution: Step-by-Step Guide
Step 1: Navigate to Google Cloud Console
- Go to Google Cloud Console
- Click on the project selector dropdown at the top (showing your current project name)
- Select the Organization you need to modify (if you’re at the project level, you need to go to the organization level)
Step 2: Access More Actions
- Click the “More Actions” button (the three vertical dots
⋮) on the right side of the project/organization selector - A dropdown menu will appear with various options
Step 3: Navigate to IAM Permissions
- From the dropdown menu, click on “IAM & Admin” or “IAM/PERMISSIONS”
- This will take you to the IAM roles management page
Step 4: Assign Necessary Roles
- Find your user account in the list of members
- Click on the Edit button (pencil icon) next to your user
- In the side panel that appears, click ”+ Add Another Role”
- Add these two roles:
- Organization Policy Administrator — required to manage organization policies
- Organization Administrator — grants administrative access at the organization level
⚠️ Important: These roles must be assigned at the organization level, not the project level. If you’re at the project level, the “Organization Policy Administrator” option won’t appear in the role list.
Step 5: Access Organization Policies
After assigning the roles (wait a few moments for the roles to propagate):
-
Click on “Organization Policies” in the left sidebar under IAM & Admin
OR
Repeat Steps 1-2 above and select “Organization Policies” from the dropdown menu
Step 6: Edit the Service Account Key Creation Policy
- On the Organization Policies page, use the search bar to find: “Disable service account key creation”
- Click on the matching policy
- Click the “Edit Policy” button
- Modify the rule to either:
- Remove the policy entirely (if you want to allow all service account key creation)
- Add exceptions for specific service accounts or projects
- Change the enforcement level to “advisory only” instead of “enforced”
- Click “Save” to apply changes
Step 7: Verify the Fix
- Navigate back to your project
- Go to IAM & Admin → Service Accounts
- Select your service account
- Go to the Keys tab
- Click “Add Key” → “Create new key”
- You should now be able to create a new key!
🎯 Alternative Approaches
If you need a more granular solution:
Option A: Exempt Specific Projects
Instead of disabling the policy entirely, you can add exemptions:
- In Organization Policies, edit the “Disable service account key creation” policy
- Under Enforcement, add exceptions for specific projects or service accounts
- This allows key creation only where needed
Option B: Use Service Account Impersonation
Instead of creating new keys:
- Keep the constraint enabled
- Use Service Account Impersonation with short-lived credentials
- Generate access tokens via the IAM API
Option C: Manage Keys via Terraform/IaC
If using Infrastructure as Code, the policy might be less restrictive for automated deployments through trusted CI/CD pipelines.
🔒 Security Best Practices
Once you’ve enabled service account key creation, remember:
✅ Limit key creation — Only create keys when necessary
✅ Rotate regularly — Delete unused keys and rotate active ones quarterly
✅ Use minimal permissions — Apply principle of least privilege to service accounts
✅ Monitor key usage — Check audit logs for service account key usage
✅ Consider alternatives — Use Workload Identity or service account impersonation when possible
🧪 Testing Your Setup
After making these changes:
# List service accounts in your project
gcloud iam service-accounts list
# Create a key for a service account (if using gcloud CLI)
gcloud iam service-accounts keys create key.json \
--iam-account=SERVICE_ACCOUNT_EMAIL@PROJECT_ID.iam.gserviceaccount.com
# Verify key was created
gcloud iam service-accounts keys list \
--iam-account=SERVICE_ACCOUNT_EMAIL@PROJECT_ID.iam.gserviceaccount.com
🚨 Common Issues
“Organization Policy Administrator role not visible”
- Cause: You’re at the project level instead of the organization level
- Solution: Make sure you’re assigning roles at the organization level in IAM & Admin
“Permission denied” after adding roles
- Cause: Role propagation takes time
- Solution: Wait 5-10 minutes and try again, or log out and back in
Policy change not taking effect
- Cause: Cache or role synchronization delay
- Solution: Clear browser cache or use incognito mode to test
📚 Related Resources
- Google Cloud Organization Policies Documentation
- Service Account Best Practices
- Workload Identity Federation
📝 Summary
The iam.disableServiceAccountKeyCreation constraint is a powerful security control, but with the right IAM roles, you can manage it when needed:
- ✅ Assign yourself Organization Policy Administrator and Organization Administrator roles at the organization level
- ✅ Navigate to Organization Policies
- ✅ Edit the “Disable service account key creation” policy
- ✅ Modify the enforcement rule to suit your needs
- ✅ Create service account keys as needed
Remember: With great power comes great responsibility — use this capability carefully and monitor key creation activities!
Happy cloud engineering! ☁️
