From 1c199fb51971d156e9d78bbfe8f06ec738ff9e62 Mon Sep 17 00:00:00 2001
From: Sangeet Mishra <143380171+SangeetaMishr@users.noreply.github.com>
Date: Wed, 13 May 2026 18:14:31 +0530
Subject: [PATCH 1/2] Document GCS policy resolution steps
Added steps for resolving GCS policy restrictions and granting permissions for service account key creation.
---
.../05. Google Cloud Storage Setup - GCS.md | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md b/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
index 6c2b3bc2d..908734b88 100644
--- a/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
+++ b/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
@@ -331,6 +331,54 @@ Also, just to clarify — `BigQuery tables` and `GCS buckets` serve different pu
- Click `Save`.
+
+## Resolution on the GCS Policy restriction:
+
+A GCP Organization Admin needs to update the organisation policy that is blocking service account key creation.
+
+### Steps 1:
+
+1. Open **Google Cloud Console**
+2. Go to **IAM & Admin → Organization Policies**
+3. Search for:
+ `Disable service account key creation`
+4. Select the policy:
+ `constraints/iam.disableServiceAccountKeyCreation`
+5. Click **Edit**
+6. Set the policy to **Not enforced** (or override it at the project level if org-level change is not allowed)
+7. Save the changes
+
+https://docs.cloud.google.com/organization-policy/restrict-service-accounts
+
+### Step 2:
+
+1.Go to **Google Cloud Console**
+2. Activate **Cloud Shell**
+3. Click **Continue** and complete the setup steps
+
+
+
+---
+
+### Run the following commands in Cloud Shell
+
+1. Authenticate (if not already authenticated):
+ ```bash
+ gcloud auth login
+
+2. List available organizations:
+
+gcloud organizations list
+
+3. Grant Organization Policy Admin role to the required user:
+
+gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
+ --member="user:ADMIN_EMAIL@yourdomain.com" \
+ --role="roles/orgpolicy.policyAdmin"
+
+4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint):
+constraints/iam.disableServiceAccountKeyCreation
+
### Reference Articles
- [GCS Pricing Details](https://cloud.google.com/storage/pricing)
From a44d6fd1e6cc664a41bd4ccf9477fc3267cc7caf Mon Sep 17 00:00:00 2001
From: Sangeet Mishra <143380171+SangeetaMishr@users.noreply.github.com>
Date: Wed, 3 Jun 2026 13:51:27 +0530
Subject: [PATCH 2/2] Update last updated date and format code blocks
Updated last updated date to June 2025 and formatted code blocks for better readability.
---
.../05. Google Cloud Storage Setup - GCS.md | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md b/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
index 908734b88..45d7a4e03 100644
--- a/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
+++ b/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
@@ -4,7 +4,7 @@
| 10 minutes read |
Level: Beginner |
- Last Updated: October 2025 |
+ Last Updated: June 2025 |
@@ -363,18 +363,29 @@ https://docs.cloud.google.com/organization-policy/restrict-service-accounts
### Run the following commands in Cloud Shell
1. Authenticate (if not already authenticated):
- ```bash
- gcloud auth login
+
+```bash
+
+gcloud auth login
+
+```
+
2. List available organizations:
+```bash
gcloud organizations list
+```
+
3. Grant Organization Policy Admin role to the required user:
+ ```bash
gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
--member="user:ADMIN_EMAIL@yourdomain.com" \
--role="roles/orgpolicy.policyAdmin"
+
+```
4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint):
constraints/iam.disableServiceAccountKeyCreation