Can't create gam project. ERROR: 403: Permission iam.serviceAccountKeys.create is required to perform this operation on service account

833 views
Skip to first unread message

Louis-Philippe Kyer

unread,
May 21, 2021, 5:35:40 PM5/21/21
to GAM for Google Workspace

Hey guys,

Trying to install GAM for the first time on a new domain + computer. Used it a bunch previously at my former job. 

I'm super-admin, yet cannot go thru install with ERROR: 403: Permission iam.serviceAccountKeys.create is required to perform this operation on service account


 Any recommendations? See logs:


Creating project "GAM Project"...

Checking project status...

  Project: gam-project-jvl-rvq-9cd, Enable 21 APIs

    API: admin.googleapis.com, Enabled (1/21)

    API: alertcenter.googleapis.com, Enabled (2/21)

    API: calendar-json.googleapis.com, Enabled (3/21)

    API: chat.googleapis.com, Enabled (4/21)

    API: chromemanagement.googleapis.com, Enabled (5/21)

    API: chromepolicy.googleapis.com, Enabled (6/21)

    API: classroom.googleapis.com, Enabled (7/21)

    API: cloudidentity.googleapis.com, Enabled (8/21)

    API: contacts.googleapis.com, Enabled (9/21)

    API: drive.googleapis.com, Enabled (10/21)

    API: driveactivity.googleapis.com, Enabled (11/21)

    API: iap.googleapis.com, Enabled (12/21)

    API: gmail.googleapis.com, Enabled (13/21)

    API: groupssettings.googleapis.com, Enabled (14/21)

    API: iam.googleapis.com, Enabled (15/21)

    API: licensing.googleapis.com, Enabled (16/21)

    API: reseller.googleapis.com, Enabled (17/21)

    API: sheets.googleapis.com, Enabled (18/21)

    API: siteverification.googleapis.com, Enabled (19/21)

    API: storage-api.googleapis.com, Enabled (20/21)

    API: vault.googleapis.com, Enabled (21/21)

Setting GAM project consent screen...

Creating Service Account

 Generating new private key...

 Extracting public certificate...

 Done generating private key and public certificate.

 Uploading new public certificate to Google...


ERROR: 403: Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/117385753880378987998. - 403

Alex Birk

unread,
May 24, 2021, 2:59:18 PM5/24/21
to GAM for Google Workspace
I'm receiving the same issue. I'm a first timer, unfortunately. Tried using a separate service/super admin account as well, but received the same error. Were you able to find a fix for this by chance?

Andrew Kulpa

unread,
May 24, 2021, 3:06:27 PM5/24/21
to GAM for Google Workspace
I am also receiving this error. 

A fellow admin ran into this when he was setting up GAM today on a fresh Windows laptop. I reproduced the error on my Mac and couldn't find the 403 permission issue in Google Logging. 

No logs are generated under the project after `ListServiceAccount`, `CreateServiceAccount`, and what looks like a redundant `EnableService` API request for `vault.googleapis.com` are all called.

Tomasz Jezierski

unread,
May 24, 2021, 3:10:55 PM5/24/21
to GAM for Google Workspace
I don't know what's the exact reason, but I know how to workaround it if you're in a hurry.
You need to force GAM to generate private key by Google instead uploading locally generated.
If you're using git version you can add line
local_key_size = 0
above line 7896
https://github.com/jay0lee/GAM/blob/main/src/gam/__init__.py#L7896

There is probably not that stupid way of forcing it, but I don't know how :)

Ross Scroggs

unread,
May 24, 2021, 3:11:15 PM5/24/21
to google-ap...@googlegroups.com
Louis-Philippe/Alex/Andresw,

Verify that you've followed these steps: https://support.google.com/a/answer/9197205?hl=en

Ross

This email and all attachments are Two Point property, confidential, and intended only for the recipient. If you are not the intended recipient or believe you have received this message in error, please notify the sender and immediately delete this message. Retaining, disseminating, forwarding, printing, copying, or other unintended use of this mail is prohibited.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/be95ad28-ed27-467e-a31a-dcaf91319b9an%40googlegroups.com.


--

Alex Birk

unread,
May 24, 2021, 3:17:49 PM5/24/21
to GAM for Google Workspace
Hey Ross!

I was able to confirm that the cloud platform is enabled, and all settings enabled for the account in question. I took a look in the cloud platform webpage, and it looks like projects are being generated, but the error persists. Clearing the existing projects did not work to resolve the error.

Nicholas Lee

unread,
May 24, 2021, 10:37:57 PM5/24/21
to GAM for Google Workspace
Just installed gam on POPOS 20.04. Same issue.

I have used GAM previously (year or two ago) for this domain on a windows computer.

Nicholas

Louis-Philippe Kyer

unread,
May 25, 2021, 1:24:06 PM5/25/21
to GAM for Google Workspace
Confirmed followed. Projects are getting created but it seems there's a problem with the key creation
Message has been deleted

Jay Lee

unread,
May 25, 2021, 2:51:30 PM5/25/21
to google-ap...@googlegroups.com
This issue is fixed in GAM 6.03.

Jay

On Tue, May 25, 2021, 2:50 PM 'Alex Moon' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:
Ran into the same issue and got it sorted. This is a permissions issue with the account you're attempting to create the project with. You'll need to ensure that, for your root organization, you have the Service Account Key Admin role. I also have the Org Admin and Owner roles but it didn't work until I added the Service Account Key Admin role.

Ross Scroggs

unread,
May 25, 2021, 3:08:47 PM5/25/21
to google-ap...@googlegroups.com
Alex,

Where in the console are you manipulating this role?

Ross

On Tue, May 25, 2021 at 11:50 AM 'Alex Moon' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:
Ran into the same issue and got it sorted. This is a permissions issue with the account you're attempting to create the project with. You'll need to ensure that, for your root organization, you have the Service Account Key Admin role. I also have the Org Admin and Owner roles but it didn't work until I added the Service Account Key Admin role.

On Tuesday, May 25, 2021 at 11:24:06 AM UTC-6 l...@iregular.io wrote:


--

Jay Lee

unread,
May 25, 2021, 3:12:16 PM5/25/21
to google-ap...@googlegroups.com
It's not actually a permissions issue, it's a timing issue. The admin you authorized gam with owns the project and should have rights to create keys but the API call seems to have started failing for a few seconds after the service account creation recently causing this issue.

GAM 6.03 retries creating the key with backoff which resolves the problem.

Jay

Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages