How to Fix the Error ‘Unable to Enable Service Account Key Creation’ in Google Cloud

Introduction

When setting up service account keys in Google Cloud, you may encounter a message stating that Service Account Key Creation is Disabled.

This usually occurs due to insufficient permissions, even if you are logged in with an owner-level account.

This article explains how to resolve the error “Unable to Enable Service Account Key Creation” in Google Cloud. You will learn how to grant the required Organization Policy Administrator role, override the restrictive organization policy, and verify that the correct permissions are in place. By following these instructions, you will enable service account key creation and ensure that your account has the necessary permissions, even if you are using an owner-level account.

Note: To enable service account key creation, the account must have the Organization Policy Administrator role. Without this specific permission, even owner accounts cannot make the required changes.

Assign the Organization Policy Administrator Role

1. Click the dropdown menu.

2. Select the organization level.

3. From the Burger menu, select IAM & Admin > IAM.

4. Click Grant Access.

5. In New Principals, enter the account you are currently logged in with.
6. In the Role selector, choose Organization Policy Administrator.
7. Use the filter in the Role selector if needed to locate the role quickly.
8. Click SAVE.

Override the Disabled Service Account Key Creation Policy

1. Refer to Step 1 and switch the focus back to the project you created.
2. From the Burger menu, select IAM & Admin > Organization policies.
3. From the list of organizational policies, select Disable service account key creation (this policy is on the 2nd page of policies).
4. On the policy page, click Manage Policy.
5. Select Override parent’s policy.
6. Add a rule and set enforcement to off.
7. Click Set Policy.
8. Logout and log back into the developer console.

Then, you should be able to proceed with creating service account keys.

If the previous steps did not resolve the issue, please follow the steps below to verify that the account being used has the necessary permissions.

Verify the Assigned User Role Permission

1. Use an account with Owner access—preferably the original account that created the project.
2. Go to Google Cloud Console.
3. In the left-hand menu, navigate to IAM & Admin.
4. Click on the Permissions tab.
5. Select View by principals from the dropdown.
6. Use the search bar to find the account by its email address.
7. Review the Role(s) column to verify if Organization Policy Administrator is listed.

What to do if the Role is Missing

Q: Can I check or assign roles through the Google Play Console?
A: No. Permissions like Organization Policy Administrator must be managed in the Google Cloud Console.

1. If the role is missing, go back to IAM & Admin > Roles.
2. Assign the Organization Policy Administrator role to the necessary account.
3. Save the changes.
4. Return to your original setup process or tutorial.
5. Attempt to enable service account key creation again.

Troubleshooting and FAQ’s

Q: What if I have owner-level access but still can’t enable key creation?
A: Ownership alone isn’t enough. You must specifically have the Organization Policy Administrator role.

Q: What account should I use to check permissions?
A: Use the owner’s Google Cloud account that created the project, not secondary accounts like [email protected].

Q: The permission is assigned, but I still can’t enable key creation. What should I do?
A: Double-check other IAM permissions related to service account management. Ensure that all required roles are correctly set.