Hello, I have gone round in ever decreasing circles with Google Support and we dont really want to pay for an expensive support plan so we are really hoping somebody can help here, please. We have traditionally been able to do this on other Google tenants on the "Cloud Identity Free' license, but are being blocked on this occasion.
We have created a new Project in Google Cloud Platform Console and enabled the requisite API's for a migration (Gmail, Contacts, Cals, etc). We can also "Create Service Account" successfully.
What we cannot do is 'Create New key' for the service account. We need to create a new JSON in order to utilise a 3rd party migration tool. Please see the screenshot below. Neither of our Super Admin accounts can do this. If we go to 'Organisation Policies' or 'Principal Access Boundary" we cannot make any changes.
We only need to temporarily disable iam.disableServiceAccountKeyCreation in "Organisation Policies" to create the JSON and allow a migration. How can we perform this without upgrading the support package with Google Cloud? Many thanks in advance.
Solved! Go to Solution.
Hello @purpleadmin ,Welcome on Google Cloud Community.
the reason why your "Super Admin" can't do that is because you have to grant Organization Policy Administrator role to your principal AND then temporary disable constraint.
More info here if you want to make exception: https://medium.com/google-cloud/troubleshooting-101-solving-the-service-account-key-creation-is-disa...
Similar case: https://www.googlecloudcommunity.com/gc/Cloud-Hub/Unable-to-disable-the-Disable-Service-Account-Key-...
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost
Hello @purpleadmin ,Welcome on Google Cloud Community.
the reason why your "Super Admin" can't do that is because you have to grant Organization Policy Administrator role to your principal AND then temporary disable constraint.
More info here if you want to make exception: https://medium.com/google-cloud/troubleshooting-101-solving-the-service-account-key-creation-is-disa...
Similar case: https://www.googlecloudcommunity.com/gc/Cloud-Hub/Unable-to-disable-the-Disable-Service-Account-Key-...
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost
Great, thanks, sorted.