A production project contains the service account [email protected]. Your organization forbids the distribution of long-lived service-account key files. A data engineer needs to execute gcloud commands from her workstation as this service account to launch BigQuery jobs, and she must not receive any broader permissions in the project than are strictly required for impersonation. Which single IAM policy binding will meet these requirements?
Grant the data engineer the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) at the project level.
Grant the data engineer the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) on the bq-runner@analytics-prod service account.
Grant the data engineer the Service Account User role (roles/iam.serviceAccountUser) on the bq-runner@analytics-prod service account.
Grant the data engineer the Editor role (roles/editor) at the project level.
To let a user obtain short-lived access tokens and act as a service account, you grant that user the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) on the specific service account. This role lets the principal call the IAM Credentials API (or gcloud … --impersonate-service-account) to generate OAuth 2.0 access tokens for the service account. Granting the role at the service-account resource scope limits the user to impersonating only that account, honoring the least-privilege requirement.
Granting roles/iam.serviceAccountTokenCreator on the entire project would allow impersonation of every service account in the project, providing more access than necessary. The Service Account User role permits attaching a service account to resources but does not allow generating tokens for command-line impersonation. The Editor role is overly permissive and still does not grant token creation for impersonation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Service Account Token Creator role?
Open an interactive chat with Bash
What is the difference between the Service Account User role and the Service Account Token Creator role?
Open an interactive chat with Bash
Why is granting permissions at the service-account level better than at the project level?
Open an interactive chat with Bash
What is the IAM Service Account Token Creator role and its purpose?
Open an interactive chat with Bash
Why is granting the Service Account Token Creator role at the service-account level considered least privilege?
Open an interactive chat with Bash
How does impersonation work with the IAM Credentials API and gcloud commands?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .