"Projection creation failed"

42 views
Skip to first unread message

Dongryeong Kim

unread,
Mar 13, 2024, 5:58:48 AMMar 13
to Got Your Back: Gmail Backup
Hi 
I'm trying to do it with an account of Google Workspace Business Standard on a Windows 11 computer. But it seems creating an error constantly and going the same process again and again. Anyone could help me? On the CMD, it repeats the followings.

Enter verification code or browser URL: 127.0.0.1 - - [13/Mar/2024 17:41:37] "GET /?state=9ccu8ZelcAMagA2xEBVXE7VW8Wx330&code=4/0AeaYSHC4haaOStKMbcXpNARXvLPNfbfFOzlN4YskM0fCaFVo_yLHI0pSdCZZabgGrasXxw&scope=https://www.googleapis.com/auth/cloud-platform HTTP/1.1" 200 91

The authentication flow has completed.
Creating project "Got Your Back Project"...
Checking project status...
 enabling API drive.googleapis.com...
 enabling API gmail.googleapis.com...
 enabling API groupsmigration.googleapis.com...
 enabling API iap.googleapis.com...
 enabling API vault.googleapis.com...
Creating Service Account

400: b'{\n  "error": {\n    "code": 400,\n    "message": "Key creation is not allowed on this service account.",\n    "status": "FAILED_PRECONDITION",\n    "details": [\n      {\n        "@type": "type.googleapis.com/google.rpc.PreconditionFailure",\n        "violations": [\n          {\n            "type": "constraints/iam.disableServiceAccountKeyCreation",\n            "subject": "projects/gyb-project-icr-m3u-hf0/serviceAccounts/gyb-project...@gyb-project-icr-m3u-hf0.iam.gserviceaccount.com?configvalue=gyb-project-icr-m3u-hf0%40gyb-project-icr-m3u-hf0.iam.gserviceaccount.com",\n
  "description": "Key creation is not allowed on this service account."\n          }\n        ]\n      }\n    ]\n  }\n}\n' - 400

Projection creation failed. Trying again. Say n to skip projection creation.

Go to the following link in your browser:

        https://gyb-shortn.jaylee.us/9ht4hy

IMPORTANT: If you get a browser error that the site can't be reached AFTER you
click the Allow button, copy the URL from the browser where the error occurred
and paste that here instead.

Enter verification code or browser URL:



Dom Scott

unread,
Mar 19, 2024, 3:33:35 PMMar 19
to Got Your Back: Gmail Backup
I ran into this problem too and oh boy did it take some digging.

The gist seems to be that Google disables the ability to create global service accounts by default on new Google Cloud setups, so I had to enable two things:
  1. Enable the permission to change Organization Policies
  2. Enable the permission for organization members to create global service accounts
Here's how I did that:
  1. Go to the IAM Page https://console.cloud.google.com/iam-admin/iam
  2. At the drop-down in the top-left by the Google Cloud logo, select your organization (should be your domain name for your organization with a building icon next to it)
  3. Click the edit icon next to your admin user account
  4. Click Add Role
  5. In the Role drop-down search for "Organization Policy Administrator" and select it.
  6. Click Save
  7. Select the "Got Your Back Project" from the drop-down at the top of the page
  8. Now go to the Organization Policies page https://console.cloud.google.com/iam-admin/orgpolicies/
  9. In the filter box search for  disableServiceAccountCreation
  10. Click the 3 dots icon next to the row and select Edit Policy
  11. Select Customize
  12. Click "Add a rule"
  13. Select "Off"
  14. Click Set Policy
You should now be able to re-run the gyb-setup and it should work.

I should note this is just me digging through the error messages and figuring out why it doesn't work/how to get it to work. I'm not a dev on this and don't know if this is opening any scary security holes, but it made it work for me and I plan on scrubbing GYB from Google Cloud once I'm done, so hopefully it's ok.

Good luck!

Jay Lee

unread,
Mar 19, 2024, 3:36:23 PMMar 19
to Got Your Back: Gmail Backup
Google does not set that policy by default. Someone in your organization likely created it.

Jay

--
--
You received this message because you are subscribed to the Google
Groups "Got Your Back: Gmail Backup" group.
To post to this group, send email to got-yo...@googlegroups.com
To unsubscribe from this group, send email to
got-your-bac...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/got-your-back?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Got Your Back: Gmail Backup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to got-your-bac...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/6753ece6-ad70-4ef8-bca5-ced4af2df8b8n%40googlegroups.com.

Dom Scott

unread,
Mar 22, 2024, 5:57:41 AMMar 22
to got-yo...@googlegroups.com
It's a squeaky clean new Google Workspace created this morning by me, and Cloud was only initialised by GYB, so it feels like enforcing the "no global service account creation" may be a new default policy applied to new organisations...?

You received this message because you are subscribed to a topic in the Google Groups "Got Your Back: Gmail Backup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/got-your-back/K6pPBPzvz4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to got-your-bac...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/got-your-back/CA%2BVVBp_zyVWEgr_iT34NuZ-rGBxYgkMy08Zp2CjnmJB%2B0JxPvw%40mail.gmail.com.

Jon Yergatian

unread,
Apr 27, 2024, 5:18:16 PMApr 27
to Got Your Back: Gmail Backup
I'm seeing the exact same error message on a brand new domain. I followed the steps suggested by Dom but I'm still seeing the error. Key creation is not allowed on this service account.

It's a real show stopper.

Reply all
Reply to author
Forward
0 new messages