1. CubeBackup Documents
  2. Tutorials
  3. How to allow service account key creation in Google Cloud Platform.

How to allow service account key creation in Google Cloud Platform.

Error: Key creation is not allowed on this service account

You may encounter the error Key creation is not allowed on this service account when running CubeBackup Service Account Generator or manually creating a service account key in Google Cloud Platform. This error is related to an organization policy constraint iam.disableServiceAccountKeyCreation enforced in your organization.

Error message: Key creation is not allowed on this service account Error message: Key creation is not allowed on this service account

To resolve this, you can choose to create the CubeBackup service account using a personal Gmail account, or follow the instructions below to get an exception and disable this constraint for your CubeBackup project.

Allow service account key creation for the CubeBackup project

Assign Organization Policy Administrator role

To set an organization policy, you must have the Organization Policy Administrator role.

  1. Sign in to the Google Cloud Console .
  2. Click the project picker in the top panel. In the Select a resource dialog that appears, go to the ALL tab and select the first entry that corresponds to your domain name (e.g. yourdomain.com). select the main organization
  3. Navigate to the IAM & Admin > IAM page from the left panel.
  4. Click the + Grant access button. A Grant access to yourdomain.com dialog will slide out from the right.
  5. Enter your email address in the Add principles > New principles textbox.
  6. In the Assigned roles > Select a role field, search for the Organization Policy Administrator and select it as the assigned role. assign organization policy administrator in GCP
  7. Click Save.

Manage organization policy for the CubeBackup project

  1. Click the project picker in the top panel. In the Select a resource dialog that appears, go to the ALL tab and select the CubeBackup project. select the CubeBackup project
  2. Navigate to the IAM & Admin > Organization Policies page from the left panel.
  3. Enter Disable service account key creation in the Filter field to search for the organization policy. You will see two results. Click the first item in the result list and follow the next steps 4 through 7. Then, please return to this page and click the second item, repeat these steps to apply the same changes. Search organization policy
  4. On the Policy details page, click the  Manage policy button.
  5. On the Edit policy page, select Override parent's policy.
  6. Click Add a rule and set Enforcement to Off.
  7. Click Set policy. Edit organization policy

Now, return to the CubeBackup Service Account Generator and retry downloading a service account key. The change may need some time to propagate. If it continues to fail, please reach out to us at [email protected].