Hi,
After Creating a service account, A7 and A9 in README, the flow has changed.
You must grant the service account role and admin to a user in A7.
Then in A9, Google doesn't offer the "Furnish a new private key" box or workflow.
After the Service account is created, there is a table with an Actions Column, where you can select "Manage Keys"
You are taken to the service account/keys page. There is a warning:
Service account keys could pose a security risk if compromised. We recommend you avoid downloading service account keys and instead use the Workload Identity Federation . Learn more about the best way to authenticate service accounts on Google Cloud .
CLick Add Key and select JSON (Recommended)
At this point you may get a denied message:
Service account key creation is disabled
An Organization Policy that blocks service accounts key creation has been enforced on your organization.
Enforced Organization Policies IDs:
iam.disableServiceAccountKeyCreation
Possible Causes: Your Organization Policy Administrator enforced the Organization Policy to prevent security incidents related to Service Account keys. Alternatively, your organization may have been automatically enforced with the policy as part of Secure by Default enforcements.
Recommended Next Steps: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative whenever possible. If you must authenticate with a service account key, an administrator with the "Organization Policy Administrator" (roles/orgpolicy.policyAdmin) role on the organization needs to disable the constraints mentioned above.
Tracking number: c6287774344777463
If so, you either need to create a policy to enable generating keys, attach a service account to the project: https://cloud.google.com/iam/docs/attach-service-accounts#attaching-different-project, deep-dive into Workload Federated Identity: https://cloud.google.com/iam/docs/workload-identity-federation.
Sorry I can't be more help right now to provide a real solution.
Hi,
After Creating a service account, A7 and A9 in README, the flow has changed.
You must grant the service account role and admin to a user in A7.
Then in A9, Google doesn't offer the "Furnish a new private key" box or workflow.
After the Service account is created, there is a table with an Actions Column, where you can select "Manage Keys"
You are taken to the service account/keys page. There is a warning:
CLick Add Key and select JSON (Recommended)
At this point you may get a denied message:
If so, you either need to create a policy to enable generating keys, attach a service account to the project: https://cloud.google.com/iam/docs/attach-service-accounts#attaching-different-project, deep-dive into Workload Federated Identity: https://cloud.google.com/iam/docs/workload-identity-federation.
Sorry I can't be more help right now to provide a real solution.