Hi everyone,
We’re running into an issue that appeared sometime in the past few weeks and I’m hoping someone from the product team or community can shed some light on what changed.
Background
We’re a Google Cloud organization with a dedicated GCP project used as a sandbox for our developers to prototype with Gemini via AI Studio. We are currently in the process of migrating to Vertex AI, but our users still rely on AI Studio in the meantime.
To avoid granting overly broad permissions, we created a custom IAM role at the org level with the following permissions, specifically scoped to allow API key creation for the Generative Language API:
apikeys.keys.create
apikeys.keys.get
apikeys.keys.list
apikeys.keys.lookup
serviceusage.apiKeys.create
serviceusage.operations.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
resourcemanager.projects.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.quotas.get
serviceusage.services.list
What worked before
Users with this custom role assigned on the sandbox project were able to go into AI Studio → Get API key → select the project → and successfully create an API key tied to the Generative Language API. The key was not required to be associated with a service account.
What broke
At some point (we don’t have the exact date), this stopped working. When users try to create a key in AI Studio, they hit the following error (screenshot attached):
“You do not have permission to create a key in this project.”
The Create key button is grayed out and the flow is completely blocked.
What we’ve observed
-
Users with the Editor role on the project can still create keys without any issues — so the project and the Generative Language API are correctly configured.
-
It looks like the API key creation flow in AI Studio changed — previously keys for the Generative Language API could be created without a service account association; now it appears a service account linkage may be required. We’re not 100% sure if this is the root cause.
-
The custom role permissions that were sufficient before no longer seem to be enough.
Our question
Has the underlying permission model for API key creation in AI Studio changed recently? If so:
-
What additional IAM permissions are now required to allow non-Editor users to create Gemini API keys via AI Studio?
-
Is there now a service account permission requirement involved (
iam.serviceAccounts.*) that wasn’t needed before? -
Is this a known regression or an intentional change to the key creation flow?
Any guidance from the product team would be greatly appreciated. We’re happy to provide additional details or reproduce the issue in a call if that helps.
Thanks in advance!