I am trying to disable a policy within the workspace to allow the creation of a key
the policy in question is disable service key creation
when ever I attempt this I am presented with an info note.
The following permissions are required to edit organization policies: orgpolicy.policy.get, orgpolicy.policies.create, orgpolicy.policies.delete, and orgpolicy.policies.update.
The "Organization Policy Administrator" (roles/orgpolicy.policyAdmin) role is an example of a role that contains these permissions.
I have scoured every note on google and the interweb and still can not get this to change.
my user has all the assigned policies required
When I attempt to add a key, I get the following
Possible Causes: Your Organization Policy Administrator enforced the Organization Policy to prevent security incidents related to Service Account keys. Alternatively, your organization may have been automatically enforced with the policy as part of Secure by Default enforcements.
Recommended Next Steps: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative whenever possible. If you must authenticate with a service account key, an administrator with the "Organization Policy Administrator" (roles/orgpolicy.policyAdmin) role on the organization needs to disable the "iam.disableServiceAccountKeyCreation" constraint.
Tracking number: c4052291959458643
Is there some simply way to disable this, so I can create a key for my service account?
Hello @paintco ,Welcome on Google Cloud Community.
Grab some useful articles about that:
Global enforcement: https://cloud.google.com/resource-manager/docs/secure-by-default-organizations
Similar cases: https://www.googlecloudcommunity.com/gc/Cloud-Hub/Unable-to-disable-the-Disable-Service-Account-Key-...
https://www.googlecloudcommunity.com/gc/Google-Cloud-s-operations-suite/The-quot-Principal-Access-Bo...
medium.com article: https://medium.com/google-cloud/troubleshooting-101-solving-the-service-account-key-creation-is-disa...
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost
Hi @paintco ,
Let me explain this:
Yes, you are Super Admin or Admin in general, but by default you can't do everything. It's called SoD (separation of duties) and least privileges.
Basically you should have as much permissions as you need for do your job, nothing more and nothing less ( least privilege). Additionally, you should not overload one person ( principal ) with all of mandatory roles within your organization, due to amount of work and what is more important, because of security.
Imagine the situation, where you have one user called Bob, which have all permissions by default ( IAM Admin, Security, Network, Policy Org Admin, etc). One day Bobs' account has been compromised. That means, your organization have big trouble due to wide range of permissions. This is the reason why you can't do everything out of the box and you have to ASSIGN proper permissions, do your job and UNASSIGN not needed permissions.
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost