Reputation: 12341
Permission denied when creating a service account key using the gcloud cli
I am trying to create a service account key using the gcloud cli, I searched on google and tried with different service accounts but they all have the same error. I'm not sure what I need to change to make the following work
Ex:
gcloud iam service-accounts keys create ~/key.json \
--iam-account myserviceaccount
Error:
ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/myserviceaccount
Upvotes: 12
Views: 23892
Answers (3)
Reputation: 1215
- Go to the organization (not the project)
- Go to IAM
- Give the organization the role "Organization Policy Administrator" and save.
- Go to organization policies
- Edit the "Disable Service Account Key Creation" (still as the org) and disable.
NOTE: You need to give "POLICY" administrator. "Organization Administrator" is an insufficient permission set.
Upvotes: 3
Reputation: 4914
tl;dr the iam-account doesn't exist.
Annoyingly I ran into the same issue running:
gcloud iam service-accounts keys create \
key.json \
--iam-account [email protected]
And getting:
ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/[email protected].
I am project Owner so I definitely had all the permissions required (I even explicitly added Service Account Key Admin but it still didn't work.
But it was actually because that particular iam-account didn't exist.
Not a very helpful error message.
Upvotes: 42
Reputation: 2260
Based on the Creating and Managing Service Account Keys documentation, it is required to set the iam.serviceAccountKeyAdmin role permissions in order to manage the service account keys, as well mentioned by Will Faris.
Required permissions:
To allow a user to manage service account keys, grant the Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin). Cloud IAM primitive roles also contain permissions to manage service account keys, but we recommend granting this role instead to prevent unnecessary access to other GCP resources.
Additionally, You can take a look on the Granting, Changing, and Revoking Access to Project Members guide to know more about the process required to add a role access in GCP, as well as the Understanding Roles document, that contains the available roles when working with Service Accounts.
Upvotes: 11
Related Questions
- gcloud auth activate-service-account [ERROR] Please ensure provided key file is valid
- Permission denied when creating GCP Service Account Key
- gcloud iam service-accounts keys create gives invalid jwt signature error
- How to create API Keys in GCP using service accont
- Create Api Key using gcloud?
- Error while creating service account in GCP via SDK
- Service account key creation in GCP using rest API
- Unable to create key file for iam account GCP using gcloud
- Error when trying to create a serviceaccount key in deployment manager
- Generate service account credentials from gcloud utility