When logging in via CLI on Google Cloud, it is possible to encounter a key creation error message such as:
ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Precondition check failed.
The error message shows when the service account has already reached the maximum allowed keys.
You can refer on the google documentation for the maximum allowed key per service account:
Each service account has a precondition to create a maximum of 10 keys. If this precondition is fulfilled, the user will not be able to log in and will encounter the error message.
Solution:
Option 1: Create a new service account as stated in the DKP Guide (option 1). https://docs.d2iq.com/dkp/2.3/gcp-quick-start#id-(2.3)GCPQuickStart-GCPprerequisites
Option 2: Delete service account keys via CLI or Console. https://cloud.google.com/iam/docs/creating-managing-service-account-keys#deleting
Note for CLI service account key deletion: You should already have declared env_var for GCP_PROJECT, SERVICE_ACCOUNT_USER, and GOOGLE_APPLICATION_CREDENTIALS before proceeding with the commands.
Example of deleting <KEY-ID> via CLI: illustration below shows listing the keys associated with the service account and deleting the KEY-ID [8496d2ed0fdbe252c9fc2155b05a550c5c2587a4]
$ export GCP_PROJECT=mesosphere-support
export SERVICE_ACCOUNT_USER=test-serviceaccount
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json"
$ echo $GCP_PROJECT
echo $SERVICE_ACCOUNT_USER
echo $GOOGLE_APPLICATION_CREDENTIALS
mesosphere-support
test-serviceaccount
/Users/roddomingo/.gcloud/credentials.json
$ gcloud iam service-accounts keys list --iam-account="$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
KEY_ID CREATED_AT EXPIRES_AT DISABLED
bb7d5e3bdcc03868c76fd0f5fb72295326b37165 2022-09-19T04:51:08Z 9999-12-31T23:59:59Z
d42db3903c02c266c3ee06db1a5b081982c9fd12 2022-09-19T04:53:12Z 9999-12-31T23:59:59Z
e89f15c81c0dd2a6d4ff37ea111431cf1d7037c3 2022-09-19T05:02:30Z 9999-12-31T23:59:59Z
6ef8c6abe2a22db18e5db62bda3b93c8a8e7e6c8 2022-09-19T05:03:26Z 9999-12-31T23:59:59Z
$ export GCP_PROJECT=mesosphere-support
export SERVICE_ACCOUNT_USER=test-serviceaccount
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json"
$ echo $GCP_PROJECT
echo $SERVICE_ACCOUNT_USER
echo $GOOGLE_APPLICATION_CREDENTIALS
mesosphere-support
test-serviceaccount
/Users/roddomingo/.gcloud/credentials.json
$ gcloud iam service-accounts keys list --iam-account="$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
KEY_ID CREATED_AT EXPIRES_AT DISABLED
bb7d5e3bdcc03868c76fd0f5fb72295326b37165 2022-09-19T04:51:08Z 9999-12-31T23:59:59Z
d42db3903c02c266c3ee06db1a5b081982c9fd12 2022-09-19T04:53:12Z 9999-12-31T23:59:59Z
e89f15c81c0dd2a6d4ff37ea111431cf1d7037c3 2022-09-19T05:02:30Z 9999-12-31T23:59:59Z
6ef8c6abe2a22db18e5db62bda3b93c8a8e7e6c8 2022-09-19T05:03:26Z 9999-12-31T23:59:59Z
acdd804d6d2e25fd213cc4dafe173136296e559c 2022-09-19T05:03:54Z 9999-12-31T23:59:59Z
94710a4ff1ddbf2a84f156258360f232edbc2c00 2022-09-19T05:04:29Z 9999-12-31T23:59:59Z
a9a6f185b9034b8c43b176c72c13f6970c0edd6e 2022-09-19T05:04:35Z 9999-12-31T23:59:59Z
5b8cf6314a0c97db25364ef7ad5a858cdee67c6f 2022-09-19T05:04:41Z 9999-12-31T23:59:59Z
8496d2ed0fdbe252c9fc2155b05a550c5c2587a4 2022-09-19T05:04:45Z 9999-12-31T23:59:59Z
888b119435ca852ba56bcb552589f8d8b00ea35e 2022-09-19T03:13:21Z 2024-10-01T23:34:36Z
$ gcloud iam service-accounts keys delete 8496d2ed0fdbe252c9fc2155b05a550c5c2587a4 --iam-account="$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
You are about to delete key [8496d2ed0fdbe252c9fc2155b05a550c5c2587a4] for service account
[test-serviceaccount@mesosphere-support.iam.gserviceaccount.com].
Do you want to continue (Y/n)? Y
deleted key [8496d2ed0fdbe252c9fc2155b05a550c5c2587a4] for service account [test-serviceaccount@mesosphere-support.iam.gserviceaccount.com]
$ gcloud iam service-accounts keys list --iam-account="$SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"
KEY_ID CREATED_AT EXPIRES_AT DISABLED
bb7d5e3bdcc03868c76fd0f5fb72295326b37165 2022-09-19T04:51:08Z 9999-12-31T23:59:59Z
d42db3903c02c266c3ee06db1a5b081982c9fd12 2022-09-19T04:53:12Z 9999-12-31T23:59:59Z
e89f15c81c0dd2a6d4ff37ea111431cf1d7037c3 2022-09-19T05:02:30Z 9999-12-31T23:59:59Z
6ef8c6abe2a22db18e5db62bda3b93c8a8e7e6c8 2022-09-19T05:03:26Z 9999-12-31T23:59:59Z
acdd804d6d2e25fd213cc4dafe173136296e559c 2022-09-19T05:03:54Z 9999-12-31T23:59:59Z
94710a4ff1ddbf2a84f156258360f232edbc2c00 2022-09-19T05:04:29Z 9999-12-31T23:59:59Z
a9a6f185b9034b8c43b176c72c13f6970c0edd6e 2022-09-19T05:04:35Z 9999-12-31T23:59:59Z
5b8cf6314a0c97db25364ef7ad5a858cdee67c6f 2022-09-19T05:04:41Z 9999-12-31T23:59:59Z
888b119435ca852ba56bcb552589f8d8b00ea35e 2022-09-19T03:13:21Z 2024-10-01T23:34:36Z