Troubleshoot organization policy errors for service accounts

The Organization Policy Service has several predefined and managed constraints that canaffect service accounts in your organization. This page helps you understandwhat errors those organization policies generate, and the steps that you cantake to resolve those errors.

Required roles

To get the permissions that you need to troubleshoot organization policy issues, ask your administrator to grant you theOrganization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Troubleshoot disabled service account key creation

If theiam.disableServiceAccountKeyCreation constraint is enforced for yourorganization, then you can't create keys for any service accounts in yourorganization. For more information about this constraint, seeDisable service account key creation.

Note: If your organization was created on or after May 3, 2024, this constraint is enforced by default.

Key creation error

If you try to create a service account key, but the action is blocked bytheiam.disableServiceAccountKeyCreation constraint, you get the followingerror message:

Console

In the Google Cloud console, a dialog appears with the headingServiceaccount key creation is disabled. The dialog states that theiam.disableServiceAccountKeyCreation constraint is enforced on yourorganization.

gcloud

ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION:Keycreation is not allowed on this service account.-'@type':type.googleapis.com/google.rpc.PreconditionFailureviolations:-description:Key creation is not allowed on this service account.subject:projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com?configvalue=SERVICE_ACCOUNT_ID%40PROJECT_ID.iam.gserviceaccount.comtype:constraints/iam.disableServiceAccountKeyCreation

REST

{"error":{"code":400,"message":"Key creation is not allowed on this service account.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.disableServiceAccountKeyCreation","subject":"projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com?configvalue=SERVICE_ACCOUNT_ID%40PROJECT_ID.iam.gserviceaccount.com","description":"Key creation is not allowed on this service account."}]}]}}

Recommended resolution for service account key creation error

If an organization policy prevents you from creating a service account key, werecommend that you do the following:

  1. Assess whether a service account key is needed.

    We don't recommend using service account keys for authentication. This isbecause service account keys can become a security risk if they're notmanaged properly, increasing your vulnerability to threats like credentialleakage, privilege escalation, information disclosure, and non-repudiation.

    In most cases, you should use amore securealternative to authenticate instead of using a serviceaccount key.

  2. If a service account key is needed for your use case, disable theiam.disableServiceAccountKeyCreation constraint for your project.

To disable the organization policy constraint, either turn off enforcementfor the constraint, or exempt your project from enforcement:

  • To turn off enforcement for the constraint for your entire organization,do the following:

    1. Ensure that you have the Organization Policy Administrator role(roles/orgpolicy.policyAdmin) at theorganization level. This role is only available to grant on organizations,and doesn't appear in the role list for projects.

      To learn how to grant roles at the organization level, seeManage access toprojects, folders, and organizations.

    2. In the Google Cloud console, go to theOrganization policies page.

      Go to Organization policies

    3. In the project selector, select the organization that you want to disabletheiam.disableServiceAccountKeyCreation constraint for.

    4. In theFilter field, enteriam.disableServiceAccountKeyCreation.Then, in the policy list, clickDisable service account key creation.

    5. ClickManage policy.

    6. In thePolicy source section, ensure thatOverride parent'spolicy is selected.

    7. UnderEnforcement, turn off enforcement for this organization policyconstraint.

    8. ClickSet policy.

  • To exempt your project from enforcement, do the following:

    1. Ensure that you have the Tag Administrator role (roles/resourcemanager.tagAdmin) and the Organization Policy Administrator role (roles/orgpolicy.policyAdmin) at the organization level. To learn how to grant roles at the organization level, seeManage access to projects, folders, and organizations.

    2. At the organization level, create a tag key and tag value that you will use to define whether a resource should be exempt from the organization policy. We recommend creating a tag with the keydisableServiceAccountKeyCreation and the valuesenforced andnot_enforced.

      To learn how to create tag keys and tag values, seeCreating and defining a new tag.

    3. Attach thedisableServiceAccountKeyCreation tag to the organization and set its value toenforced. All resources in the organization inherit this tag value, unless it's overwritten with a different tag value.

      To learn how to attach tags to resources, seeAttaching tags to resources.

    4. For each service account that you want to exempt from the organization policy, attach thedisableServiceAccountKeyCreation tag and set its value tonot_enforced. Setting a tag value for a service account in this way overrides the tag value inherited from the organization.

    5. Create or update the organization policy that prevents the creation of service account keys so that it doesn't enforce the constraint for exempt resources. This policy should have the following rules:

      • Configure theiam.disableServiceAccountKeyCreation constraint to not be enforced on any resources with thedisableServiceAccountKeyCreation: not_enforced tag. The condition in this rule should look like the following:

        "resource.matchTag('ORGANIZATION_ID/disableServiceAccountKeyCreation', 'not_enforced')"
      • Configure theiam.disableServiceAccountKeyCreation constraint to be enforced on all other resources.

Troubleshoot disabled service account creation

If theiam.disableServiceAccountCreation constraint is enforced for yourorganization, then you can't create service accounts in any projects inyour organization. For more information about this constraint, seeDisable service account creation.

Service account creation error

If you try to create a service account, but the action is blocked bytheiam.disableServiceAccountCreation constraint, you get the followingerror message:

Console

In the Google Cloud console, a dialog appears with the headingServiceaccount creation failed. The dialog states,The attempted action failed,please try again.

gcloud

ERROR: (gcloud.iam.service-accounts.create) FAILED_PRECONDITION:Service accountcreation is not allowed on this project.-'@type':type.googleapis.com/google.rpc.PreconditionFailureviolations:-description:Service account creation is not allowed on this project.subject:projects/PROJECT_ID/serviceAccounts/?configvalue=type:constraints/iam.disableServiceAccountCreation

REST

{"error":{"code":400,"message":"Service account creation is not allowed on this project.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.disableServiceAccountCreation","subject":"projects/PROJECT_ID/serviceAccounts/?configvalue=","description":"Service account creation is not allowed on this project."}]}]}}

Recommended resolution for service account creation error

If an organization policy prevents you from creating a service account, werecommend that you do the following:

  1. Assess whether a service account is needed.

    ReviewChoose when to use service accounts to confirm thata service account is needed for your use case.

  2. If a service account is needed for your use case, disable theiam.disableServiceAccountCreation constraint for your project.

To disable the organization policy constraint, either turn off enforcementfor the constraint, or exempt your project from enforcement:

  • To turn off enforcement for the constraint for your entire organization,do the following:

    1. Ensure that you have the Organization Policy Administrator role(roles/orgpolicy.policyAdmin) at theorganization level. This role is only available to grant on organizations,and doesn't appear in the role list for projects.

      To learn how to grant roles at the organization level, seeManage access toprojects, folders, and organizations.

    2. In the Google Cloud console, go to theOrganization policies page.

      Go to Organization policies

    3. In the project selector, select the organization that you want to disabletheiam.disableServiceAccountCreation constraint for.

    4. In theFilter field, enteriam.disableServiceAccountCreation.Then, in the policy list, clickDisable service account creation.

    5. ClickManage policy.

    6. In thePolicy source section, ensure thatOverride parent'spolicy is selected.

    7. UnderEnforcement, turn off enforcement for this organization policyconstraint.

    8. ClickSet policy.

  • To exempt your project from enforcement, do the following:

    1. Ensure that you have the Tag Administrator role (roles/resourcemanager.tagAdmin) and the Organization Policy Administrator role (roles/orgpolicy.policyAdmin) at the organization level. To learn how to grant roles at the organization level, seeManage access to projects, folders, and organizations.

    2. At the organization level, create a tag key and tag value that you will use to define whether a resource should be exempt from the organization policy. We recommend creating a tag with the keydisableServiceAccountCreation and the valuesenforced andnot_enforced.

      To learn how to create tag keys and tag values, seeCreating and defining a new tag.

    3. Attach thedisableServiceAccountCreation tag to the organization and set its value toenforced. All resources in the organization inherit this tag value, unless it's overwritten with a different tag value.

      To learn how to attach tags to resources, seeAttaching tags to resources.

    4. For each project or folder that you want to exempt from the organization policy, attach thedisableServiceAccountCreation tag and set its value tonot_enforced. Setting a tag value for a project or folder in this way overrides the tag value inherited from the organization.

    5. Create or update the organization policy that prevents the creation of service accounts so that it doesn't enforce the constraint for exempt resources. This policy should have the following rules:

      • Configure theiam.disableServiceAccountCreation constraint to not be enforced on any resources with thedisableServiceAccountCreation: not_enforced tag. The condition in this rule should look like the following:

        "resource.matchTag('ORGANIZATION_ID/disableServiceAccountCreation', 'not_enforced')"
      • Configure theiam.disableServiceAccountCreation constraint to be enforced on all other resources.

Troubleshoot granting roles to default service accounts

Default service accounts are created automatically when you use certainGoogle Cloud services. They have the following identifiers:

  • App Engine service default service account:PROJECT_ID@appspot.gserviceaccount.com
  • Compute Engine default service account:PROJECT_NUMBER-compute@developer.gserviceaccount.com

All default service accounts are automatically granted the Editor role(roles/editor) when they're created, unless that behavior is disabled by anorganization policy. There are two organization policy constraints that preventthe Editor role from being granted to the default service accounts:

  • iam.automaticIamGrantsForDefaultServiceAccounts: A predefined constraintthat prevents the default service accounts from being granted rolesautomatically. This constraint doesn't prevent you from later granting theEditor role to default service accounts.
  • constraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts:A managed constraint that prevents the Editor and Owner (roles/owner) rolesfrom ever being granted to the default service accounts.

Granting basic roles to service accounts error

If theiam.automaticIamGrantsForDefaultServiceAccounts constraint or theconstraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccountsconstraint is enforced for your project, then workloads in your project thatuse the default service accounts might encounter insufficient permission errors.To learn which roles to grant to a default service account, seeRecommended resolution for granting roles to default serviceaccounts.

Theiam.automaticIamGrantsForDefaultServiceAccounts constraint doesn't causeerrors on its own. However, because of this constraint, it's possible that aworkload that uses the default service account won't have the permissions thatit needs.

Additionally, if theconstraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccountsconstraint is enforced for your project, then you'll see an error message likethe following if you try to grant the Owner or Editor role to a default serviceaccount:

Console

In the Google Cloud console, a dialog appears with the headingIAM policyupdated failed. The dialog states that the changes you are trying to make toyour IAM policy have been restricted by your organization policyadministrator, then lists the constraints blocking the updated. The constraintslisted includes thecustomConstraints/custom.cantGrantProjectIamAdminconstraint.

gcloud

ERROR: (gcloud.projects.set-iam-policy) FAILED_PRECONDITION:Operation denied byorg policy on resource 'RESOURCE_ID':["constraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts":"Whenthisconstraintisenforced,itpreventsanyonefromgrantingtheEditorrole(roles/editor)ortheOwnerrole(roles/owner)totheComputeEngineandAppEnginedefaultserviceaccounts,atanytime.Tolearnmoreaboutdefaultserviceaccounts,seehttps://cloud.google.com/iam/help/service-accounts/default.EnforcingthisconstraintpreventsthedefaultserviceaccountsfromautomaticallybeinggrantedtheEditorrole(roles/editor).Thismightcausepermissionissuesforservicesthatusetheseserviceaccounts.Tolearnwhichrolestogranttoeachserviceaccount,seehttps://cloud.google.com/iam/help/service-accounts/troubleshoot-roles-default."].

REST

{"error":{"code":400,"message":"Operation denied by org policy on resource    'RESOURCE_ID':    [\"constraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts\":    \"When this constraint is enforced, it prevents anyone from granting the    Editor role (roles/editor) or the Owner role (roles/owner) to the Compute    Engine and App Engine default service accounts, at any time. To learn more    about default service accounts, see    https://cloud.google.com/iam/help/service-accounts/default.\n Enforcing this    constraint prevents the default service accounts from automatically being    granted the Editor role (roles/editor). This might cause permission issues    for services that use these service accounts. To learn which roles to grant    to each service account, see    https://cloud.google.com/iam/help/service-accounts/troubleshoot-roles-default.\"].","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"CUSTOM_ORG_POLICY_VIOLATION","domain":"googleapis.com","metadata":{"customConstraints":"constraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts","resource":"projects/PROJECT_ID"}}]}}

Recommended resolution for granting roles to default service accounts

If an organization policy prevents you from granting the Editor or Owner role toa default service account, then you should find a less permissive role to grantto the service account. The role that the service account needs depends on theservice you're using and the tasks you want to accomplish.

Note: We don't recommend disabling the organization policy. The Editor and Ownerroles are basic roles, and shouldn't be used in production environments.However, if you decide to disable the organization policy, follow theinstructions forediting organization policies.

Review the following table to determine which role to grant to which defaultservice account, depending on the service you're using:

ServiceDefault service accountRole to grant
App Engine App Engine default service account (PROJECT_ID@appspot.gserviceaccount.com) Cloud Build Account role (roles/cloudbuild.builds.builder)
Compute Engine Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com)

The roles that the default service account needs depend on the task that you want to accomplish. To figure out which roles are required, review the documentation for the task that you want to accomplish, or reviewFind the right predefined roles.

When deciding which role to grant, follow the best practices described on theService accounts page in the Compute Engine documentation.

Cloud Build Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com) Cloud Build Service Account role (roles/cloudbuild.builds.builder)
Cloud Deploy Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com) To see which roles to grant to this service account, find the Cloud Deploy quickstart that corresponds with your use case, then grant the roles described in that quickstart. For a list of Cloud Deploy quickstarts, seeQuickstarts in the Cloud Deploy documentation.
Cloud Run functions and Cloud Functions Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com)

To deploy functions: Cloud Build Account role (roles/cloudbuild.builds.builder)

For more information, seeCustom service account for Cloud Build.

Cloud Run Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com)

The roles that the default service account needs depend on the task that you want to accomplish. To figure out which roles are required, review the documentation for the task that you want to accomplish, or reviewFind the right predefined roles.

For details about Cloud Run roles, seeAccess control with IAM in the Cloud Run documentation.

Google Kubernetes Engine Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com)

Kubernetes Engine Default Node Service Account role (roles/container.defaultNodeServiceAccount)

For more information, seeUse least privilege IAM service accounts.

Workflows Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com)

The roles that the default service account needs depend on the task that you want to accomplish. To figure out which roles are required, review the documentation for the task that you want to accomplish, or reviewFind the right predefined roles.

Follow the best practices described on theGrant a workflow permission to access Google Cloud resources page in the Workflows documentation.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.