Firebase will not let me create service account key

Asked 20/3 at 17:38 Answered 13/7 at 18:47

When trying to generate and download a new service account key I get a message that I have reached my limit. I don't have any keys created so it seems the limit is 0.

I am using a Google Workspace account. I believe that this setting is being limited by the organization that the gmail account is associated with. There is only one email for the organization which I am using and it is the adminstrator. I have the ability to change any Google Cloud setting but I have no idea where to go and do this.

The main reason why I mention Workspace is that it's only happening on this new account with a new Workspace domain and a fresh Firebase install. I spun up a quick Firebase project with a gmail account and did not have an issue with keys at all.

I need a key so that I can create a node.js program that sets custom claims on authenticated users.

Doug Stevenson: Even though the message says you have reached the limit it doesn't make sense because I don't have any keys created.

Also, here is what happens when the steps you provided are followed.

Click the Add key drop-down menu, then select Create new key. Select JSON as the Key type and click Create.

I found a place to edit organizational constraints however it appears here that the disableServiceAccountCreation is not enforced. https://console.cloud.google.com/iam-admin/orgpolicies

Subscription answered 20/3 at 17:38 Comment(6)

If you see an error message, it's a good idea to start with a web search using the exact text. That's how I found the instructions. – Prowess 20/3 at 17:43

1) A service account can have a maximum of 10 keys reference. 2) If you are trying to exceed the max, you have three choices: a) purge a key, reuse an existing key, or create a new service account and key. 3) Be cautious of service account key sprawl. That is a quick way to lose track of keys. That also affects the principal recorded in the audit logs. For each use case, a best practice is to create a service account with one key. 4) I recommend consulting with your organization's IAM admin. – Eastwood 20/3 at 22:39

Another question. Why do you need to create a service account key for Functions? Use the built-in features to assign a service account to the Function. That feature removes the requirement for a service account key. Edit your question to explain why you need a key. There might be other solutions. – Eastwood 20/3 at 22:44

Why does your question title have "Workspace Gmail account" in the title? Workspace is not part of your problem or solution. – Eastwood 20/3 at 22:47

Hi John, I did not communicate clearly in my question. I said I had multiple keys. I feel pretty foolish to admit this but what I have is multiple service accounts. I don't have any keys. I cannot create one either through Firebase UI or google cloud UI. the main reason why I mention workspace is that it's only happening on this new account with a new workspace domain and a fresh firebase install. I spun up a quick firebase project with a gmail account and did not have an issue with keys at all. I will edit the questions to include why I need a key. – Subscription 20/3 at 23:52

I have edited the title and made adjustments to the content of the question. I hope it's more clear now. If you have time to look at again I would truly appreicate it. TY. – Subscription 21/3 at 0:6

It something they changed recently I believe - or a recent bug. Never had this issue, now it's default with any new account. I also reported it as a bug with their support - let's see if they respond.

So either way you would follow this link:

Go to the parent level I am - this means that if you are inside a "project" - you would need to go to the account's IAM (on the left menu)
Grant your account the access "Organization Policy Administrator"
Now, go to the "Organization Policies"
Find policy "Disable service account key creation" and put it in ENFORCE: OFF
Now, go to the project level - and delete all service keys created wrongfully
(All of this was done of Google Cloud) so now go back to firebase's generate service account - refresh it (may require double refresh) - it will have created a new "ok" service account
Now, hit generate private key.
All done :)

Allhallowmas answered 28/5 at 15:49 Comment(4)

I am trying to integrate Firebase with Clerk and ran into this issue. I followed the above steps and with a bit of extra fiddling around I can confirm it works ^ :) Thank you. – Pentheam 8/6 at 10:53

Worked for me also. But the first instruction was a bit unclear to me as Im not used to Google Workspace. This selection is on the top/header of the screen, not on the left side (where I was searching). – Rameriz 23/7 at 0:16

Thank you so much. You helped me more than the Google support person did :) – Hebraism 31/7 at 21:7

Thank youuuu! I was going crazy trying to get this to work – Sikorsky 19/9 at 23:53

I just went through this, and wanted to share what I learned: Google changed this default in May 2024: The instructions by @user967710 work great, my advice is, if you (like me) are not really a GCP user (I'm only doing this for Android messaging) make sure you're setting the permissions at the right level --

This MUST happen at the organization level --> Grant your account the access "Organization Policy Administrator
This MUST happen at the project level once your account has the Organization Policy Administrator role --> Find policy "Disable service account key creation" and put it in ENFORCE: OFF

Endemic answered 13/7 at 18:47 Comment(1)

I struggled with this relatively long as it always worked before May 3, 2024. Having read this I got it working very fast: googlecloudcommunity.com/gc/Cloud-Hub/… 1. Go to the organisation level of Firebase console -> IAM 2. Click the Edit principal icon 3. ADD IAM CONDITION -> Organization Administrator ADD IAM CONDITION -> Organization Policy Administrator 4. Save 5. Now select project firebase console top left 6. Organization Policies 7. Filter -> disableServiceAccountKeyCreation 8. Set it to non enforced – Oilskin 21/8 at 13:12

You are not looking at the correct org policy

Disable service account creation

Disable service account key creation

You were looking at SA creation not key creation

Accalia answered 21/3 at 13:36 Comment(0)

Recommended topics

Hot tags