This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

disabling a policy

Posted a month ago
paintco
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to disable a policy within the workspace to allow the creation of a key

the policy in question is disable service key creation

when ever I attempt this I am presented with an info note.

The following permissions are required to edit organization policies: orgpolicy.policy.get, orgpolicy.policies.create, orgpolicy.policies.delete, and orgpolicy.policies.update.

The "Organization Policy Administrator" (roles/orgpolicy.policyAdmin) role is an example of a role that contains these permissions.

 

I have scoured every note on google and the interweb and still can not get this to change.

my user has all the assigned policies required

When I attempt to add a key, I get the following

Service account key creation is disabled

The organization policy constraint 'iam.disableServiceAccountKeyCreation' is enforced on your organization.

Possible Causes: Your Organization Policy Administrator enforced the Organization Policy to prevent security incidents related to Service Account keys. Alternatively, your organization may have been automatically enforced with the policy as part of Secure by Default enforcements. 

Recommended Next Steps: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative  whenever possible. If you must authenticate with a service account key, an administrator with the "Organization Policy Administrator" (roles/orgpolicy.policyAdmin) role on the organization needs to disable  the "iam.disableServiceAccountKeyCreation" constraint.

Tracking number: c4052291959458643

 

Is there some simply way to disable this, so I can create a key for my service account?

1 3 140
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Hello @paintco  ,Welcome on Google Cloud Community.

Grab some useful articles about that:

Global enforcement: https://cloud.google.com/resource-manager/docs/secure-by-default-organizations 

Similar cases: https://www.googlecloudcommunity.com/gc/Cloud-Hub/Unable-to-disable-the-Disable-Service-Account-Key-... 

https://www.googlecloudcommunity.com/gc/Google-Cloud-s-operations-suite/The-quot-Principal-Access-Bo...

medium.com article: https://medium.com/google-cloud/troubleshooting-101-solving-the-service-account-key-creation-is-disa... 

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

Posted on --/--/---- --:-- AM
paintco
Bronze 1
Bronze 1
In response to DamianS
Reply posted on --/--/---- --:-- AM
hello ok so I started on this fresh approach. Got to assign tags and
apparently I do not have rights to enable tags. I need additional access.
and I am admin and I can't create access.
This google approach is extremely difficult. All I am trying to do is
Migrate my google system to Microsoft 365 and it is presenting roadblocks
at every task.
The migration assistant in 365 won't work unless I have the correct items
allowed. As an admin I should be able to change items. but google won;t
let me

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
In response to paintco
Reply posted on --/--/---- --:-- AM

Hi @paintco ,

Let me explain this:

Yes, you are Super Admin or Admin in general, but by default you can't do everything. It's called SoD (separation of duties) and least privileges.  

Basically you should have as much permissions as you need for do your job, nothing more and nothing less ( least privilege). Additionally, you should not overload one person ( principal ) with all of mandatory roles within your organization, due to amount of work and what is more important, because of security.

Imagine the situation, where you have one user called Bob, which have all permissions by default ( IAM Admin, Security, Network, Policy Org Admin, etc). One day Bobs' account has been compromised. That means, your organization have big trouble due to wide range of permissions. This is the reason why you can't do everything out of the box and you have to ASSIGN proper permissions, do your job and UNASSIGN not needed permissions. 

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

0 Likes
Top Solution Authors
View all