Permission denied when creating a service account key using the gcloud cli

Question

I am trying to create a service account key using the gcloud cli, I searched on google and tried with different service accounts but they all have the same error. I'm not sure what I need to change to make the following work

Ex:

gcloud iam service-accounts keys create ~/key.json \
    --iam-account myserviceaccount

Error:

ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/myserviceaccount

Answer 1

tl;dr the iam-account doesn't exist.

Annoyingly I ran into the same issue running:

gcloud iam service-accounts keys create \
  key.json \
 --iam-account [email protected]

And getting:

ERROR: (gcloud.iam.service-accounts.keys.create) PERMISSION_DENIED: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/[email protected].

I am project Owner so I definitely had all the permissions required (I even explicitly added Service Account Key Admin but it still didn't work.

But it was actually because that particular iam-account didn't exist.

Not a very helpful error message.

Answer 2

Based on the Creating and Managing Service Account Keys documentation, it is required to set the iam.serviceAccountKeyAdmin role permissions in order to manage the service account keys, as well mentioned by Will Faris.

Required permissions:

To allow a user to manage service account keys, grant the Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin). Cloud IAM primitive roles also contain permissions to manage service account keys, but we recommend granting this role instead to prevent unnecessary access to other GCP resources.

Additionally, You can take a look on the Granting, Changing, and Revoking Access to Project Members guide to know more about the process required to add a role access in GCP, as well as the Understanding Roles document, that contains the available roles when working with Service Accounts.