Skip to main content

Hello, Google support team.

I'm trying to crate a or download a json file for firebase push notifications. while creating the json file i'm facing an issue "The organization policy constraint 'iam.disableServiceAccountKeyCreation' is enforced on your organization." which is mentioned in the screenshot.
Can you please help or provide us any way of doing things right.
Thanks.

This means your Google Cloud Platform administrator has configured Organization Policy, which sets constraints on usage of GCP. You should check in with your admin for management of it.


-mike

I have owner access on this account, but I am still unable to create a JSON file and keep encountering an error. Can you please provide any steps or a link that I can follow to find the solution?

I have owner access on this account, but I am still unable to create a JSON file and keep encountering an error. Can you please provide any steps or a link that I can follow to find the solution?



You can disable the org policy constraint `disableServiceAccountKeyCreation` with a gcloud command. For example, to disable the policy for the project my-project, you would use the following command:



```

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --project=my-project

```

It is best practice to re-enable the policy after you've downloaded your service account key.



You can also use the Google Cloud Console to disable the policy. Go to the Google Cloud Console page for the project, click on the IAM and Admin tab, and then click on the Organization Policies tab. In the Organization Policies page, search for `constraints/iam.disableServiceAccountKeyCreation`, click on the result, click Manage Policy, and then (temporarily) disable the policy. 


You can disable the org policy constraint `disableServiceAccountKeyCreation` with a gcloud command. For example, to disable the policy for the project my-project, you would use the following command:



```

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation --project=my-project

```

It is best practice to re-enable the policy after you've downloaded your service account key.



You can also use the Google Cloud Console to disable the policy. Go to the Google Cloud Console page for the project, click on the IAM and Admin tab, and then click on the Organization Policies tab. In the Organization Policies page, search for `constraints/iam.disableServiceAccountKeyCreation`, click on the result, click Manage Policy, and then (temporarily) disable the policy. 


I have already tried both solutions, but neither worked.

In the first solution, I encountered a permissions issue, and in the second, the edit option was disabled. Even though my account is shown as the owner, I am unable to make any changes.

I have already tried both solutions, but neither worked.

In the first solution, I encountered a permissions issue, and in the second, the edit option was disabled. Even though my account is shown as the owner, I am unable to make any changes.


I see your issue: the owner role is insufficient for editing org policy. In the cloud console for the Organization (not the Project), you need to grant that user the "Organization Policy Administrator" role.

I see your issue: the owner role is insufficient for editing org policy. In the cloud console for the Organization (not the Project), you need to grant that user the "Organization Policy Administrator" role.


How i should do that can you please provide us steps. so that can do that in correct manner

How i should do that can you please provide us steps. so that can do that in correct manner


In the cloud console, pick your Organization from the dropdown menu. The Org has a building glpyh as shown in the screenshot below. Note the numeric ID for th org also as you can use that with gcloud commands.


 


Once the Organization is selected, use the navigation on the left side to pick IAM & Admin and then IAM.


 


On the IAM page's View By Principals table, use the Filter to find the user account that you are using for cloud console administration. Use the pencil glyph on the far right column to edit this principal.



On the Assign Roles page for that principal, click "ADD ANOTHER ROLE" on the bottom of the list of roles.



 


Click "Select a Role"


.


Start typing "Organization Policy Administrator" in the Filter box. When the Role is visible, select it and then click Save.



The steps above add the Organization Policy Administrator Role to the principal at the Organization level. To do that with a gcloud command:


```





gcloud organizations add-iam-policy-binding 89865786164 --member user:admin@dandye.altostrat.com --role roles/orgpolicy.policyAdmin



```

In the cloud console, pick your Organization from the dropdown menu. The Org has a building glpyh as shown in the screenshot below. Note the numeric ID for th org also as you can use that with gcloud commands.


 


Once the Organization is selected, use the navigation on the left side to pick IAM & Admin and then IAM.


 


On the IAM page's View By Principals table, use the Filter to find the user account that you are using for cloud console administration. Use the pencil glyph on the far right column to edit this principal.



On the Assign Roles page for that principal, click "ADD ANOTHER ROLE" on the bottom of the list of roles.



 


Click "Select a Role"


.


Start typing "Organization Policy Administrator" in the Filter box. When the Role is visible, select it and then click Save.



The steps above add the Organization Policy Administrator Role to the principal at the Organization level. To do that with a gcloud command:


```





gcloud organizations add-iam-policy-binding 89865786164 --member user:admin@dandye.altostrat.com --role roles/orgpolicy.policyAdmin



```


Thanks for the update, but my account is showing a permission issue. I am not able to move forward. Can you please suggest what to do to solve this issue? I am attaching an image of the issue, please give a suggestion

Thanks for the update, but my account is showing a permission issue. I am not able to move forward. Can you please suggest what to do to solve this issue? I am attaching an image of the issue, please give a suggestion


I believe that screenshot indicates that you are not the administrator for your Google Cloud Platform organization. You'll need the administrator to help. The "need additional access" page also says, "If your administrator is unable to help, then contact support". 

At this point I would open a case with support so they can troubleshoot what is happening.

I too am struggling to create a Service Account Key for Firebase.  Here is the error



The role has the following permissions:



 


And here are the policy adaptations I have made: 



Enabling makes no difference.


WIF is not an option as Azure Notifications do not support WIF yet. 


Thanks, Jeff


 


 





 


 




Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.