403
policy
auth_error
ai_generated
partial
在资源 'projects/my-project/serviceAccounts/[email protected]' 上拒绝了权限 'iam.serviceAccountKeys.create'
Permission 'iam.serviceAccountKeys.create' denied on resource 'projects/my-project/serviceAccounts/[email protected]'
ID: policy/gcp-iam-policy-deny-service-account-key-creation
80%修复率
87%置信度
1证据数
2024-05-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| GCP IAM v1 | active | — | — | — |
| Organization Policy v2 | active | — | — | — |
根因分析
组织策略限制服务账号密钥创建以防止长期凭证,但用户或 CI/CD 管道尝试为自动化创建密钥。
English
Organization policy restricts service account key creation to prevent long-lived credentials, but a user or CI/CD pipeline attempts to create a key for automation purposes.
官方文档
https://cloud.google.com/iam/docs/restricting-service-account-key-creation解决方案
-
使用工作负载身份联合替代服务账号密钥(例如 GitHub Actions OIDC)。
-
通过 GCP 管理控制台请求组织策略例外。
无效尝试
常见但无效的做法:
-
90% 失败
The organization policy deny overrides any IAM permission; even admins cannot create keys if the constraint is active.
-
75% 失败
Impersonation still requires the key creation permission, which is blocked by the same policy.