search

GAM-team / got-your-back

Got Your Back (GYB) is a command line tool for backing up your Gmail messages to your computer using Gmail's API over HTTPS.
https://github.com/GAM-team/got-your-back/wiki
Apache License 2.0
2.62k stars 207 forks source link

Key creation is not allowed on this service account #470

Open HughWarrington opened 3 months ago

HughWarrington commented 3 months ago

Full steps to reproduce the issue:

  1. On Windows 10, download and run https://github.com/GAM-team/got-your-back/releases/download/v1.81/gyb-1.81-windows-x86_64.msi
  2. Fill in email address when requested.
  3. When browser window appears, proceed with Google account signin and granting permissions to GYB.
  4. Return to Command Prompt and see error.

Expected outcome: GAM setup succeeds.

Actual outcome:

Please enter your Google email address: xxx@xxxx.xxx

Go to the following link in your browser:

        https://gyb-shortn.jaylee.us/h9r8wv

IMPORTANT: If you get a browser error that the site can't be reached AFTER you
click the Allow button, copy the URL from the browser where the error occurred
and paste that here instead.

Enter verification code or browser URL: 127.0.0.1 - - [23/Jun/2024 13:08:08] "GET /?state=xxx&code=xxx&scope=https://www.googleapis.com/auth/cloud-platform HTTP/1.1" 200 91

The authentication flow has completed.
Creating project "Got Your Back Project"...
Checking project status...
Project still being created. Sleeping 1 seconds
Checking project status...
Project still being created. Sleeping 4 seconds
Checking project status...
 enabling API drive.googleapis.com...
 enabling API gmail.googleapis.com...
 enabling API groupsmigration.googleapis.com...
 enabling API iap.googleapis.com...
 enabling API vault.googleapis.com...
Creating Service Account

400: b'{
  "error": {
    "code": 400,
    "message": "Key creation is not allowed on this service account.",
    "status": "FAILED_PRECONDITION",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
        "violations": [
          {
            "type": "constraints/iam.disableServiceAccountKeyCreation",
            "subject": "projects/gyb-project-d0i-771-95i/serviceAccounts/gyb-project-d0i-771-95i@gyb-project-d0i-771-95i.iam.gserviceaccount.com?configvalue=gyb-project-d0i-771-95i%40gyb-project-d0i-771-95i.iam.gserviceaccount.com",
            "description": "Key creation is not allowed on this service account."
          }
        ]
      }
    ]
  }

' - 400
emilthemaker commented 2 months ago

Stuck here too

dwhaggard commented 2 months ago

I don't recall the exact process but it seems as though Google has turned on some defaults to increase security. These need to be disabled at your own risk.

Basically use the organizational policy menu on your organization to filter policies with "Service Account". Edit these policies in the list with "Disable" in the name. These need to be turned off. Might need to add a rule of enforce - off. Also might need to adjust your permissions to allow editing them. Once you get that sorted, GYB works. image