If you see a "Service account key creation is disabled" message when attempting to create a Google service account .json key, you may need to adjust permissions and policies in your Google Service Account. This article walks through how to resolve this error.
In this article:
- What is causing the service account key creation error?
- What to know before fixing the service account key creation error
- Fix the service account key creation error: check your role permissions
- Fix the service account key creation error: review organization policies
What is causing the service account key creation error?
When attempting to create a Google service account .json key, you may run into the following error that says "The organization policy constraint 'iam.disableServiceAccountKeyCreation' is enforced on your organization.
This error likely stems from the Google account you are using being affiliated with a Google Workspace, Google Cloud Identity, or G-Suite organization where service account key creation permissions are disabled. For security reasons, Google sometimes disables this permission by default, but it can be reversed.
Rest assured that creating a service account JSON key is still secure and will not bring any security liability to your Vimeo OTT Android application(s).
⚠️ Before you begin troubleshooting, we recommend logging in to your Google developer account within an incognito or private web browser. Doing so will ensure that you are only logged in to the Google account you need and avoid conflict with other personal or organizational logins you may have.
What to know before fixing the service account key creation error
You can only follow the steps below if your Google account has been associated with, at a minimum, the Organizational Policy Admin role within Google Cloud. You can check if you have these permissions by logging in to Google Admin, where you may be presented with a prompt to sign in with an administrator account.
If you cannot progress beyond this screen, your account is not affiliated with proper permissions within your organization to adjust policy roles. You will need assistance within your organization for another user to update your role.
Fix the service account key creation error: check your role permissions
Once you confirm access, you will need to change your Google Cloud "project" to your parent organization and not the project you've created specifically for your Google developer account.
- Go to the top of the Google Cloud page and open the dropdown menu.
- Select the top organization possible, which is the "Parent Organization." This is reflected by an icon that represents a building. You will also see additional projects that you or your organization has created underneath the parent organization.
- Once you are in the parent organization, check your current role within it. Select the 3 horizontal line menu icon in the top-left of the Google Cloud page.
- Hover over IAM & Admin and select IAM.
- Within the IAM section, you will be presented with a list of all accounts affiliated with your parent organization. Locate the account you are using and select the pencil icon labeled as Edit Principal.
-
Under the Assign Roles section, ensure your account has the following permissions by selecting + Add Another Role.
- Owner
- Organization Policy Administrator
- Service Account Admin
- Service Account Key Admin
- Then, select Save.
Fix the service account key creation error: review organization policies
Once you update and confirm your account roles, review the policies associated with your organization. To do so:
- Select the 3 horizontal line menu icon in the top-left of the Google Cloud page.
- Hover over IAM & Admin and select Organization Policies.
-
On this page, using the "Filter" search bar, search for "Disable Service Account Key Creation."
- Alternatively, you can type in "Service" or "Service Account" and the permission should appear in the list below.
- ⚠️Note: There may be multiple policy "Disable Service Account Key Creation" instances that are flagged as "Active." Ensure you are following the steps below to adjust the policy on all of them. Failure to do so may cause an error in the creation process.
-
If you have proper permissions associated with your account, you should be able to select the 3 vertical dots on the right and select Edit Policy.
- On the policy screen, you may see one of two options depending on your account role. The steps below highlight both presentation options, but the resolution steps would be the same:
- Under "Policy Source," select either Override parent's policy or Customize.
- Under "Rules," select New rule or Edit rule and change "Enforcement" to Off.
- Select Set Policy to save your changes.
Upon completion of the above steps, you should then be able to return to our Google developer account creation guide and resume adding the Vimeo Service account. Contact your Implementation Manager if you continue to run into any further issues.