diff --git a/server/api.go b/server/api.go
index bdccfc3..ca53b9a 100644
--- a/server/api.go
+++ b/server/api.go
@@ -312,12 +312,15 @@ func newKeyVersion(d []byte, s knox.VersionStatus) knox.KeyVersion {
 }
 
 // NewKey creates a new Key with correctly set defaults.
-func newKey(id string, acl knox.ACL, d []byte, u knox.Principal) knox.Key {
+func newKey(id string, acl knox.ACL, d []byte, principal knox.Principal) knox.Key {
 	key := knox.Key{}
 	key.ID = id
 
-	creatorAccess := knox.Access{ID: u.GetID(), AccessType: knox.Admin, Type: knox.User}
-	key.ACL = acl.Add(creatorAccess)
+	// If principal is a service, we will have already checked `acl` for a human user or group
+	if auth.IsUser(principal) {
+		creatorAccess := knox.Access{ID: principal.GetID(), AccessType: knox.Admin, Type: knox.User}
+		key.ACL = acl.Add(creatorAccess)
+	}
 	for _, a := range defaultAccess {
 		key.ACL = key.ACL.Add(a)
 	}