Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key creation is not allowed on this service account #470

Open
HughWarrington opened this issue Jun 23, 2024 · 3 comments
Open

Key creation is not allowed on this service account #470

HughWarrington opened this issue Jun 23, 2024 · 3 comments

Comments

@HughWarrington
Copy link

Full steps to reproduce the issue:

  1. On Windows 10, download and run https://github.com/GAM-team/got-your-back/releases/download/v1.81/gyb-1.81-windows-x86_64.msi
  2. Fill in email address when requested.
  3. When browser window appears, proceed with Google account signin and granting permissions to GYB.
  4. Return to Command Prompt and see error.

Expected outcome:
GAM setup succeeds.

Actual outcome:

Please enter your Google email address: [email protected]

Go to the following link in your browser:

        https://gyb-shortn.jaylee.us/h9r8wv

IMPORTANT: If you get a browser error that the site can't be reached AFTER you
click the Allow button, copy the URL from the browser where the error occurred
and paste that here instead.

Enter verification code or browser URL: 127.0.0.1 - - [23/Jun/2024 13:08:08] "GET /?state=xxx&code=xxx&scope=https://www.googleapis.com/auth/cloud-platform HTTP/1.1" 200 91

The authentication flow has completed.
Creating project "Got Your Back Project"...
Checking project status...
Project still being created. Sleeping 1 seconds
Checking project status...
Project still being created. Sleeping 4 seconds
Checking project status...
 enabling API drive.googleapis.com...
 enabling API gmail.googleapis.com...
 enabling API groupsmigration.googleapis.com...
 enabling API iap.googleapis.com...
 enabling API vault.googleapis.com...
Creating Service Account

400: b'{
  "error": {
    "code": 400,
    "message": "Key creation is not allowed on this service account.",
    "status": "FAILED_PRECONDITION",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
        "violations": [
          {
            "type": "constraints/iam.disableServiceAccountKeyCreation",
            "subject": "projects/gyb-project-d0i-771-95i/serviceAccounts/gyb-project-d0i-771-95i@gyb-project-d0i-771-95i.iam.gserviceaccount.com?configvalue=gyb-project-d0i-771-95i%40gyb-project-d0i-771-95i.iam.gserviceaccount.com",
            "description": "Key creation is not allowed on this service account."
          }
        ]
      }
    ]
  }

' - 400
@emilthemaker
Copy link

Stuck here too

@dwhaggard
Copy link

I don't recall the exact process but it seems as though Google has turned on some defaults to increase security. These need to be disabled at your own risk.

Basically use the organizational policy menu on your organization to filter policies with "Service Account". Edit these policies in the list with "Disable" in the name. These need to be turned off. Might need to add a rule of enforce - off. Also might need to adjust your permissions to allow editing them. Once you get that sorted, GYB works.
image

@lucasra1
Copy link

lucasra1 commented Oct 9, 2024

Since May 3, 2024, key creation for service accounts is disabled by default.
More information:

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts?authuser=2#disable_service_account_key_creation

Note: If your organization was created on or after May 3, 2024, this constraint is enforced by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@HughWarrington @lucasra1 @dwhaggard @emilthemaker