GCP - Create Service Account permission denied

iam.serviceAccounts.create permission not granted for the lab user

ERROR: (gcloud.iam.service-accounts.create) [kk_lab_user_724916@kkgcplabs02.com] does not have permission to access projects instance [kkgcplabs01-049] (or it may not exist): Permission ‘iam.serviceAccounts.create’ denied on resource ‘//cloudresourcemanager.googleapis.com/projects/kkgcplabs01-049’ (or it may not exist). This command is authenticated as kk_lab_user_724916@kkgcplabs02.com which is the active account specified by the [core/account] property.

• ‘@type’: type.googleapis.com/google.rpc.ErrorInfo
  domain: iam.googleapis.com
  metadata:
  permission: iam.serviceAccounts.create
  resource: projects/kkgcplabs01-049
  reason: IAM_PERMISSION_DENIED

Since a service account is for all intents and purposes, a user in GCP, I don’t think we allow them in the playgrounds – they can do things that are insecure and expensive from our point of view. What you can do in the playground will be done with the rights and privileges of the user that “owns” the playground.