{
  "id": "policy/gcp-iam-policy-deny-service-account-key-creation",
  "signature": "Permission 'iam.serviceAccountKeys.create' denied on resource 'projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com'",
  "signature_zh": "在资源 'projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com' 上拒绝了权限 'iam.serviceAccountKeys.create'",
  "regex": "Permission 'iam.serviceAccountKeys.create' denied on resource",
  "domain": "policy",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "Organization policy restricts service account key creation to prevent long-lived credentials, but a user or CI/CD pipeline attempts to create a key for automation purposes.",
  "root_cause_type": "generic",
  "root_cause_zh": "组织策略限制服务账号密钥创建以防止长期凭证，但用户或 CI/CD 管道尝试为自动化创建密钥。",
  "versions": [
    {
      "version": "GCP IAM v1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Organization Policy v2",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The organization policy deny overrides any IAM permission; even admins cannot create keys if the constraint is active.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Impersonation still requires the key creation permission, which is blocked by the same policy.",
      "fail_rate": 0.75,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Use workload identity federation for CI/CD instead of service account keys (e.g., GitHub Actions OIDC).",
      "success_rate": 0.85,
      "how": "Use workload identity federation for CI/CD instead of service account keys (e.g., GitHub Actions OIDC).",
      "condition": "",
      "sources": []
    },
    {
      "action": "Request an exception to the organization policy via the GCP admin console.",
      "success_rate": 0.7,
      "how": "Request an exception to the organization policy via the GCP admin console.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "使用工作负载身份联合替代服务账号密钥（例如 GitHub Actions OIDC）。",
    "通过 GCP 管理控制台请求组织策略例外。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://cloud.google.com/iam/docs/restricting-service-account-key-creation",
  "official_doc_section": null,
  "error_code": "403",
  "verification_tier": "ai_generated",
  "confidence": 0.87,
  "fix_success_rate": 0.8,
  "resolvable": "partial",
  "first_seen": "2024-05-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}