403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/xyz

Question

I am trying to create a ServiceAccount using Google cloud api. I am an Oauth client to authenticate on behalf of an user. I am using the correct scope. I am still getting the error 403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/xyz.

This code used to work before. I saw that the new docs also mention this; https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/create

My question is what am I doing wrong. How do I fix this issue?

Answer 1

To allow a user to manage Service Accounts, grant one of the following roles:

• Service Account User (roles/iam.serviceAccountUser): Grants permissions to get, list, or impersonate a service account.
• Service Account Admin (roles/iam.serviceAccountAdmin): Includes Service Account User permissions and also grants permissions to create, update, delete, and set or get the Cloud IAM policy on a service account.

According to the question, to create a service account, at minimum the user must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin) or the Editor primitive role (roles/editor).

Since you have not provided the code, please do the following.

1. Check whether your service account has the above role. If not, please add them
2. Check whether you have provided the GOOGLE_APPLICATION_CREDENTIALS correctly.
3. Based on your programming language, try the example code given here.

Answer 2

This is really old but for others, this is likely caused by previous failed attempts. This bug STILL exists, even a year later, in which previous failed attempts seem to propagate this error. If you change the name of the service account it generally works.