PreconditionFailure', 'violations': [{'type': 'constraints/iam.disableServiceAccountKeyUpload', '

[cristian Ryan]

Hi there, 

We created a GAM Project, and are attempting to install GAM CLI [https://github.com/GAM-team/GAM/wiki#download-gam] but we're seeing the following error noted below: 

Setting GAM project consent screen... 

Generating new private key... 

Extracting public certificate... 

Done generating private key and public certificate. 

Uploading new public certificate to Google...

ERROR: [{'@type': 'type.googleapis.com/google.rpc.PreconditionFailure', 'violations': [{'type': 'constraints/iam.disableServiceAccountKeyUpload', ' 

We believe the resolution is to adjust the policy for “constraints/iam.disableServiceAccountKeyUpload” to no enforcement found here: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyUpload?project=gam-project-360307

Are these policy requirements noted somewhere for GAM CLI? 

Thank you

[Jay Lee]

Yes, that sounds like the issue you are having. No, nothing is documented at this point and afaik you're the first GAM user to run across this issue.

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0f76cce6-b29b-4d75-bcc7-160736931984n%40googlegroups.com.

[Sean Ryan]

Thanks Jay -- 

Just confirming the issue is now fixed and it was a permissions issue we had to adjust the organazational policy noted below to "Not Enforced" 

Disable Service Account Key Upload

This boolean constraint disables the feature that allows uploading public keys to service accounts where this constraint is set to `True`. By default, users can upload public keys to service accounts based on their Cloud IAM roles and permissions.

Applies to

Project "GAM project"

ID

constraints/iam.disableServiceAccountKeyUpload

Effective policy

Not enforced

[coccoinomane]

Hello!
For those stuck with this problem, the solution is to go to the IAM section of Google Cloud console and:
1. add the role "Organization Policy Administrator" to your account
2. set "Not enforiced" for the policy "Disable Service Account Key Upload"
3. try again creating the project with GAM (gam create project)

Hope this helps!
Cheers,
Guido

[Jay Lee]

Well that's turning off the security policy your organization is attempting to enforce so it's more of a workaround than a solution.

The solution as I described above is to run GAM on a GCP VM with an attached service account so that no private key is necessary.

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/c1fd571c-4942-4646-b1f0-c7f2d2055826n%40googlegroups.com.

[Roy Natian]

FYI the workaround has changed slightly. iam.disableServiceAccountKeyUpload has been superseded by iam.managed.disableServiceAccountKeyUpload.

So to get this to work, you need to set iam.managed.disableServiceAccountKeyUpload to not enforced once you have the role "Organization Policy Administrator".

Roy

[Ross Scroggs]

Thanks, Wiki Updated

Ross

----

Ross Scroggs

Ross.S...@gmail.com

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/2bc07970-603e-49ec-ad43-9c14bd409de2n%40googlegroups.com.