403
policy
auth_error
ai_generated
partial
Permission 'iam.serviceAccountKeys.create' denied on resource 'projects/my-project/serviceAccounts/[email protected]'
ID: policy/gcp-iam-policy-deny-service-account-key-creation
80%Fix Rate
87%Confidence
1Evidence
2024-05-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| GCP IAM v1 | active | — | — | — |
| Organization Policy v2 | active | — | — | — |
Root Cause
Organization policy restricts service account key creation to prevent long-lived credentials, but a user or CI/CD pipeline attempts to create a key for automation purposes.
generic中文
组织策略限制服务账号密钥创建以防止长期凭证,但用户或 CI/CD 管道尝试为自动化创建密钥。
Official Documentation
https://cloud.google.com/iam/docs/restricting-service-account-key-creationWorkarounds
-
85% success Use workload identity federation for CI/CD instead of service account keys (e.g., GitHub Actions OIDC).
Use workload identity federation for CI/CD instead of service account keys (e.g., GitHub Actions OIDC).
-
70% success Request an exception to the organization policy via the GCP admin console.
Request an exception to the organization policy via the GCP admin console.
中文步骤
使用工作负载身份联合替代服务账号密钥(例如 GitHub Actions OIDC)。
通过 GCP 管理控制台请求组织策略例外。
Dead Ends
Common approaches that don't work:
-
90% fail
The organization policy deny overrides any IAM permission; even admins cannot create keys if the constraint is active.
-
75% fail
Impersonation still requires the key creation permission, which is blocked by the same policy.