# Permission 'iam.serviceAccountKeys.create' denied on resource 'projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com'

- **ID:** `policy/gcp-iam-policy-deny-service-account-key-creation`
- **Domain:** policy
- **Category:** auth_error
- **Error Code:** `403`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

Organization policy restricts service account key creation to prevent long-lived credentials, but a user or CI/CD pipeline attempts to create a key for automation purposes.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| GCP IAM v1 | active | — | — |
| Organization Policy v2 | active | — | — |

## Workarounds

1. **Use workload identity federation for CI/CD instead of service account keys (e.g., GitHub Actions OIDC).** (85% success)
   ```
   Use workload identity federation for CI/CD instead of service account keys (e.g., GitHub Actions OIDC).
   ```
2. **Request an exception to the organization policy via the GCP admin console.** (70% success)
   ```
   Request an exception to the organization policy via the GCP admin console.
   ```

## Dead Ends

- **** — The organization policy deny overrides any IAM permission; even admins cannot create keys if the constraint is active. (90% fail)
- **** — Impersonation still requires the key creation permission, which is blocked by the same policy. (75% fail)