If you're trying to generate a JSON key for your Google Cloud Service Account and running into errors, you're not alone. This is one of the most common issues we see with new account setups, and the good news is it's fully fixable in a few steps.
First, understand why this is happening
Google Cloud has a built-in security rule that blocks JSON key creation by default for all new accounts. Think of it like a factory setting on a new phone. It ships locked, and you have to go in and change it yourself.
On top of that, even if you're an Admin or Super Admin in your Google Workspace account, that doesn't automatically give you the ability to change this setting in Google Cloud. They're two separate systems, and you'll need to unlock the right permission in Google Cloud specifically.
There are two things you need to do, in order:
✅ Give your account the ability to change Google Cloud security policies
✅ Turn off the rule that blocks JSON key creation
What you'll need before starting
Access to your Google Cloud Console (console.cloud.google.com)
Your account must be a Super Admin in Google Workspace
Step 1: Give your account permission to change security policies
This step unlocks your ability to change Google Cloud's organizational settings. You only need to do this once.
Go to console.cloud.google.com
In the top search bar, type "IAM" and click on IAM & Admin
On the left sidebar, click IAM
At the top of the page, look for a dropdown that shows your organization name (not a specific project). Click it and select your organization.
Click Grant Access (the blue button near the top)
In the "New principals" field, type your own email address
In the "Role" dropdown, search for "Organization Policy Administrator" and select it
Click Save
⚠️ Important!
Make sure you're at the organization level, not inside a specific project inside Google Cloud Console.
You've now given yourself the ability to modify your organization's security policies.
Step 2: Turn off the rule blocking JSON key creation
Now you'll change the specific setting that's preventing the JSON key from being created.
Still in the Google Cloud Console, use the top search bar to search for "Organization Policies"
Click on Organization Policies from the results
In the filter/search box on that page, type: disableServiceAccountKeyCreation
Click on the policy called "Disable service account key creation"
Click Manage Policy (or Edit Policy) in the top right
Under Policy source, select "Override parent's policy"
Under Enforcement, select "Off" (also shown as "Not enforced")
Click Set Policy to save
⏱️ Note: This change can take 1–2 minutes to take effect. If you try to create a key immediately and it still doesn't work, wait a moment and try again.
Step 3: Create your JSON key
Now that the policy has been updated, you can go ahead and generate your key:
In the top search bar, search for "Service Accounts"
Click on the service account you need the key for
Go to the Keys tab
Click Add Key > Create new key
Select JSON and click Create
The key file will automatically download to your computer keep it safe and share it with us (there is a field in the app assets form for that).
Still running into issues?
Here are a few things to double-check:
Are you at the organization level in Step 1? The most common mistake is being inside a specific project instead of the organization. Look for your organization name (usually your company domain) in the project selector at the top.
Did you wait a couple of minutes after Step 2? Policy changes don't always apply instantly.
Do you have multiple Google Cloud organizations? Make sure you're making changes in the right one.
If you've followed all the steps and are still stuck, we're happy to jump on a quick call and walk through it with you. Just reach out to your Onboarding Specialist or send an email to ott@uscreen.tv, and we'll get it sorted together.