DEV Community

Cover image for Fixing “Service Account Key Creation is Disabled” in Google Cloud
Tahsin Abrar
Tahsin Abrar

Posted on

Fixing “Service Account Key Creation is Disabled” in Google Cloud

#googlecloud #gcp #cloudsecurity #developers

If you’ve been working with Google Cloud and suddenly hit this message when trying to create a service account key:

Service account key creation is disabled
An Organization Policy that blocks service accounts key creation has been enforced on your organization.
Enforced Organization Policies IDs:
iam.disableServiceAccountKeyCreation
Enter fullscreen mode Exit fullscreen mode

…don’t panic. This is actually a security feature put in place by your organization (or Google’s “Secure by Default” settings) to reduce the risk of leaked keys.

In this post, I’ll explain why this happens and walk you through step-by-step how to fix it safely for your project.

💡 Why is this happening?

Google Cloud has an Organization Policy called:

iam.disableServiceAccountKeyCreation
Enter fullscreen mode Exit fullscreen mode

When this is enabled, it blocks the creation of external service account keys.
This is meant to:

  • Prevent accidental key exposure
  • Reduce risks from long-lived credentials
  • Encourage more secure alternatives (like Workload Identity Federation)

If you’re seeing the error, it means:

  • Your organization admin has enforced the policy, and
  • Your project is inheriting that restriction.

🔧 How to Fix It for Your Project

If you really need to create a service account key (for example, to integrate with APIs that don’t support Workload Identity), you can override the policy at the project level — if you have the right permissions.

You’ll need:

  • Organization Policy Administrator role (roles/orgpolicy.policyAdmin)
  • Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin) or higher

Step 1: Go to Organization Policies

  1. Open Google Cloud Console: https://console.cloud.google.com/iam-admin/orgpolicies
  2. In the top-left resource selector, choose your organization (not just the project).

Step 2: Search for the Policy

  1. Use the search bar and type: 
   iam.disableServiceAccountKeyCreation
Enter fullscreen mode Exit fullscreen mode
  1. Click on the result to open the policy details.

Step 3: Override the Policy for Your Project

  1. At the top of the page, click Edit.
  2. Under Policy source, you’ll see: 
   Inherit parent's policy
   Google-managed default
   Override parent's policy
Enter fullscreen mode Exit fullscreen mode
  1. Select Override parent’s policy.
  2. Change the setting from Enforced to Not enforced.
  3. Click Save.

Now your project can create service account keys without changing the policy for the entire organization.

Step 4: Create the Service Account Key

  1. Go to: IAM & Admin → Service Accounts
  2. Find your service account
  3. Click Keys → Add key → Create new key
  4. Download the JSON file — keep it secure!

Top comments (0)