A user-managed service account named checkout-sa is used by production workloads. Lisa already has the Compute Instance Admin role on the project, but when she tries to create a new Compute Engine VM that uses checkout-sa she receives a permission denied error. You must allow Lisa to attach checkout-sa to VMs without giving her any additional permissions on other resources or changing the service account's own access. Which IAM binding satisfies the requirement?
Grant [email protected] the Service Account User role (roles/iam.serviceAccountUser) on checkout-sa.
Grant [email protected] the IAM Security Reviewer role (roles/iam.securityReviewer) at the project level.
Grant checkout-sa the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) on the project.
Grant [email protected] the Storage Object Viewer role (roles/storage.objectViewer) on checkout-sa.
To let a principal attach a service account to a resource, you grant that principal a role on the service account, not on the project. The Service Account User role (roles/iam.serviceAccountUser) on checkout-sa authorizes Lisa to act as, and therefore attach, the service account while giving her no permissions that the service account itself possesses. Granting Storage Object Viewer on the service account does not allow attachment. Roles such as Security Reviewer or Service Account Token Creator are unrelated to VM attachment, and assigning roles to checkout-sa rather than to Lisa would not solve Lisa's permission error.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Service Account User role in GCP?
Open an interactive chat with Bash
Why is the role granted on the service account and not at the project level?
Open an interactive chat with Bash
What does 'acting as a service account' mean in GCP?
Open an interactive chat with Bash
What is the Service Account User role in GCP?
Open an interactive chat with Bash
How does assigning a role on the service account differ from assigning it on the project?
Open an interactive chat with Bash
Why can't roles like Storage Object Viewer or Service Account Token Creator solve Lisa's issue?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .