Login/Register
Permission denied when creating a service account key using the gcloud cli
Asked Answered
Solved gcloud
B

3

11

I am trying to create a service account key using the gcloud cli, I searched on google and tried with different service accounts but they all have the same error. I'm not sure what I need to change to make the following work

Ex:

gcloud iam service-accounts keys create ~/key.json \
    --iam-account myserviceaccount

Error:

ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/myserviceaccount
Bunco answered 24/7, 2018 at 21:56 Comment(2)
You need to have IAM role "Service Account Key Admin" before you can perform this operation. This can be granted to you in the IAM section of Google's Cloud Console.Sells
Yes, first is needed create the service account, for example $ gcloud iam service-accounts create devopsaccount --display-name "DevOps on projectA" After that you can perform the keys creation with $ gcloud iam service-accounts keys create ./devops_credentials.json --iam-account [email protected]Kaleidoscope
W
11

Based on the Creating and Managing Service Account Keys documentation, it is required to set the iam.serviceAccountKeyAdmin role permissions in order to manage the service account keys, as well mentioned by Will Faris.

Required permissions:

To allow a user to manage service account keys, grant the Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin). Cloud IAM primitive roles also contain permissions to manage service account keys, but we recommend granting this role instead to prevent unnecessary access to other GCP resources.

Additionally, You can take a look on the Granting, Changing, and Revoking Access to Project Members guide to know more about the process required to add a role access in GCP, as well as the Understanding Roles document, that contains the available roles when working with Service Accounts.

Wyly answered 30/8, 2018 at 14:24 Comment(0)
I
42

tl;dr the iam-account doesn't exist.

Annoyingly I ran into the same issue running:

gcloud iam service-accounts keys create \
  key.json \
 --iam-account [email protected]

And getting:

ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/[email protected].

I am project Owner so I definitely had all the permissions required (I even explicitly added Service Account Key Admin but it still didn't work.

But it was actually because that particular iam-account didn't exist.

Not a very helpful error message.

Inapproachable answered 30/10, 2018 at 9:3 Comment(3)
Thank you. This was the correct answer for me, and probably many others. Make sure you've typed the service account and project correctly.Chadd
As of today, I get "Unknown service account" when I try this: $ gcloud iam service-accounts keys create ~/key.json --iam-account [email protected] -> ERROR: (gcloud.iam.service-accounts.keys.create) NOT_FOUND: Unknown service accountGharry
don't forget to change your project name if you're using an url of this type in your commands: [email protected]Kuebbing
W
11

Based on the Creating and Managing Service Account Keys documentation, it is required to set the iam.serviceAccountKeyAdmin role permissions in order to manage the service account keys, as well mentioned by Will Faris.

Required permissions:

To allow a user to manage service account keys, grant the Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin). Cloud IAM primitive roles also contain permissions to manage service account keys, but we recommend granting this role instead to prevent unnecessary access to other GCP resources.

Additionally, You can take a look on the Granting, Changing, and Revoking Access to Project Members guide to know more about the process required to add a role access in GCP, as well as the Understanding Roles document, that contains the available roles when working with Service Accounts.

Wyly answered 30/8, 2018 at 14:24 Comment(0)
R
3
  1. Go to the organization (not the project)
  2. Go to IAM
  3. Give the organization the role "Organization Policy Administrator" and save.
  4. Go to organization policies
  5. Edit the "Disable Service Account Key Creation" (still as the org) and disable.

NOTE: You need to give "POLICY" administrator. "Organization Administrator" is an insufficient permission set.

Registration answered 27/3, 2024 at 2:15 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.