Fixing “Service Account Key Creation is Disabled” in Google Cloud Console

When working with Google Cloud and products like Google Earth Engine, you may run into this frustrating error:

Service account key creation is disabled
An organisation policy that blocks service account key creation has been enforced on your organisation.

This guide walks through why this happens, how to diagnose it, and the exact steps to fix it — based on a real-world scenario.

---

Understanding the Problem

Google Cloud service account keys allow code running outside GCP (like a backend server) to authenticate securely.
However, they also pose a security risk if leaked.

Many organisations block key creation by enforcing an Organisation Policy Constraint:

• Legacy constraint: iam.disableServiceAccountKeyCreation
• Managed constraint (newer): iam.managed.disableServiceAccountKeyCreation

When either one is active and enforced at the organisation level, all projects inherit the restriction.
This means even if you are a Project Owner, you can’t create JSON keys until the policy is overridden.

---

Why Both Policies Matter

Google is migrating from the legacy constraint to the managed constraint, but during the transition:

• Both constraints are evaluated for security.
• Disabling just one is not enough — if the other remains active, the block continues.

That’s why some users disable the new constraint, but still see the error when creating keys — the legacy one is still active.

---

Diagnosing the Issue

1. Switch to your project in the Google Cloud Console.
2. Navigate to:

   IAM & Admin → Organisation policies

1. Search for "Disable service account key creation".
2. If you see two entries:

• One with .managed in the ID (new)

• One without .managed (legacy)

  1. Check the Enforcement state:

• If Active, the policy is blocking you.

---

Fixing the Policy

Step 1 — Make Sure You Have the Right Role

You need:

• Organisation Policy Administrator (roles/orgpolicy.policyAdmin) or
• Organisation Administrator (roles/resourcemanager.organizationAdmin)

If you only have project-level roles, you won’t be able to override an inherited policy.

---

Step 2 — Override the Managed Constraint

1. Switch to your project.
2. Go to:

   IAM & Admin → Organisation policies

1. Search for:

   iam.managed.disableServiceAccountKeyCreation

1. Click it → Manage policy.
2. Choose:

• Override parent’s policy
• Set Enforcement to Off.
  1. Save.

---

Step 3 — Override the Legacy Constraint

1. Still in the project view, search for:

   iam.disableServiceAccountKeyCreation

1. Click it → Manage policy.
2. Choose:

• Override parent’s policy
• Set Enforcement to Off.
  1. Save.

---

Step 4 — Ensure Project Access

Even with the policy disabled, you must have the right project-level permissions:

• Service Account Admin (roles/iam.serviceAccountAdmin)
• or Editor (roles/editor)

Without these, you may see:

Missing permissions: iam.serviceAccounts.list

when trying to open the Service Accounts page.

---

Creating the Service Account Key

Once both constraints are set to Not enforced for your project:

1. Go to:

   IAM & Admin → Service accounts

1. Open your service account.
2. Go to the Keys tab.
3. Click:

   Add key → Create new key → JSON

1. Download and store the key securely.

---

Security Best Practices

• Never commit your JSON key to GitHub or public storage.
• Store it in a secure secret manager.
• Rotate or delete unused keys regularly.
• Consider using Workload Identity Federation to avoid storing keys entirely.

---

Conclusion

The “Service account key creation is disabled” error is usually caused by organisation policies.
The tricky part is that both the legacy and the managed constraint can block you — disabling only one won’t work.

By:

1. Overriding both constraints at the project level, and
2. Ensuring you have the right project permissions,

…you can generate the JSON key and move forward with your development.