Troubleshooting 101: Solving the “Service Account Key Creation is Disabled” error.

Understanding Service Account Key Creation and Its Implications in Google Cloud

1. What Does It Mean When Service Account Key Creation is Disabled?

When service account key creation is disabled in Google Cloud, it means that users and applications within your Google Cloud organization are prevented from generating new private keys for service accounts. Service accounts are special types of accounts used by applications and virtual machines (VMs) to interact with other Google Cloud services.

Private keys are critical for authenticating and authorizing service accounts to access resources. Disabling the creation of these keys is a security measure to reduce the risk associated with managing and securing these keys. Once the policy is enforced, existing keys can still be used until they are revoked or expire, but no new keys can be generated.

2. Reason Behind That Enforcement

Disabling service account key creation is enforced to enhance the security of your Google Cloud environment. Here are some key reasons for this enforcement:

• Minimize Security Risks: Private keys can be compromised if not handled securely. Disabling key creation reduces the risk of these keys being exposed, stolen, or misused.
• Encourage Best Practices: Google Cloud provides better alternatives such as Workload Identity Federation and IAM roles, which offer more secure and manageable ways to grant permissions without relying on long-lived keys.
• Reduce Operational Overhead: Managing and rotating keys can be complex and error-prone. By disabling key creation, organizations can avoid the operational burden associated with key management.
• Compliance and Governance: Many industries have strict compliance and governance requirements. Disabling key creation helps meet these requirements by ensuring that sensitive credentials are not mishandled.

So to deal with this enforcement, you should either use Workload Identity Federation ( preferred way) or expressly allow SA key creation on TAG-based projects.

Before you will go with Org Policy changes, please read prerequisites for the assignment of the role of organization policy administrator:

1. Organizational Access:

• You need to have access to the Google Cloud organization where you want to assign the role.

2. Administrative Permissions:

• You must have one of the following roles:
• Organization Admin (roles/resourcemanager.organizationAdmin)
• IAM Admin (roles/resourcemanager.organizationAdmin) or an equivalent role with the necessary permissions to manage IAM roles and policies at the organizational level.

3. Google Cloud Console Access:

• Ensure you have access to the Google Cloud Console. You can access it at Google Cloud Console.

3. Steps to Assign Organization Policy Admin

To assign the Organization Policy Admin role, follow these steps:

Step-by-Step Guide:

1. Open Google Cloud Console:

• Go to Google Cloud Console.

2. Navigate to IAM & Admin:

• In the left-hand navigation pane, click on IAM & Admin.
• Select IAM.

3. Select the Organization:

• If you manage multiple organizations, select the appropriate organization from the organization selector drop-down at the top of the page.

Fig1. Select appropriate organization

4. Add a Member:

• Click on the Add button at the top of the IAM page.

5. Enter Member Information:

• In the New members field, enter the email address of the user or service account you want to assign the role to.

6. Assign Role:

• Click on the Select a role drop-down menu.
• Under Resource Manager, select Organization Policy Administrator.

Fig2. Add principal email

7. Save Changes:

• Click Save to assign the role to the selected member.

4. Assign TAG for project

1. Open the Tags page in the Google Cloud console : Open Tags page
2. From the Scope picker at the top of the page, select the organization or project under which you want to create a tag key.
3. Click Create.

Fig3. Create tag

4. In the Tag key box, enter the display name of your tag key. This becomes part of the namespaced name of your tag.

5. In the Tag key description box, enter a description of your tag key.

6. If you want to add tag values to this key, click add Add value for each tag value you want to create.

7. In the Tag value box, enter the display name of your tag value. This becomes part of the namespaced name of your tag.

8. In the Tag value description box, enter a description of your tag value.

Fig4. Add TAG values

9. When you have finished adding tag values, click Create tag key.

5. Exclude project from org policy with TAG

1. In the Google Cloud console, go to the Organization policies page.
2. Go to Organization policies
3. From the project picker, select the project for which you want to set the organization policy.
4. On the Organization policies page, select a constraint from the list. The Policy details page for that constraint appears.
5. To update the organization policy for this resource, click Manage policy.
6. On the Edit policy page, select Override parent’s policy.
7. Under Policy enforcement, select an enforcement option:

• To merge and evaluate your organization policies together, select Merge with parent. For more information about inheritance and the resource hierarchy, see Understanding Hierarchy Evaluation.
• To override policies inherited from a parent resource, select Replace.

8. Click Add rule.

9. Under Policy values, select whether this organization policy should allow all values, deny all values, or specify a custom set of values.

• Specific values accepted by the policy depend on the service to which the policy applies. For a list of constraints and the values they accept, see Organization policy constraints.

10. Optionally, to make the organization policy conditional on a tag, click Add condition.

• In the Title field, enter a name for the condition.
• In the Description field, give your condition a description. The description provides context on the tags that are required and how they impact resources.
• You can use the Condition builder to create a condition that requires a particular tag for the constraint to take effect.
• In the Condition type box, select Tag.
• Select the Operator for your condition. To match an entire tag, use the matches operator. To match a tag key and a tag value, use the matches ID operator.
• If you selected the matches operator, enter the value namespaced name of the tag. If you selected the matches ID operator, enter the key and value IDs.
• You can create multiple conditions by clicking Add. If you add another condition, you can set the conditional logic to require all of them by toggling And. You can set the conditional logic to require only one of the conditions to be true by toggling Or.
• You can delete an expression by clicking the large X to the right of the condition fields.
• When you have finished editing your conditions, click Save.

Fig5. Combine condition

⚠️ Warning: If you create a query that includes the ! logical operator in the Condition editor, the Condition builder displays an error message and is not able to render the query. The query will function, but you must use the Condition editor to make any further changes to the query.

Fig6. Organization constraint with two rules

11. To finish and apply the organization policy, click Save.

6. Test your settings

Here we have project without TAG. As we can see, there is no possibility to create key for Service Account, due to Organization Policy restrictions.

Fig7. Project without TAG assigned

and project with TAG, where we’ve created SA key without any errors

Fig8. Project with TAG assigned

Fig9. TAGs view for projects

Conclusion

Handling the “Service account key creation is disabled” error in Google Cloud can seem daunting, but by following the steps outlined in this guide, you can effectively navigate this challenge. Disabling service account key creation is a crucial security measure designed to minimize risks, encourage best practices, reduce operational overhead, and ensure compliance.

By leveraging alternatives such as Workload Identity Federation and carefully managing IAM roles, you can maintain secure and efficient access to your Google Cloud resources. Additionally, understanding and utilizing organization policies and tags can provide the necessary flexibility to manage exceptions while adhering to security standards.

Remember, enhancing security often involves adopting new practices and tools, and the effort invested in understanding these processes will pay off in the long run. Stay proactive in managing your cloud environment, and you’ll not only overcome this error but also build a more secure and robust infrastructure.

Do not forget the 👏✌️❤️ if you like this content!

Also, I will be glad if you hit the follow button so you get notified of my new posts.

You can also follow me on LinkedIn.

You can join our Google Cloud Community Poland LinkedIn group. It’s open!

Thank you!