An on-premises batch job must upload files to a Cloud Storage bucket every hour. Your security policy forbids distributing long-lived service-account key files, and the development team does not want to build any code that creates or signs JSON Web Tokens (JWTs). Instead, the job will call the IAM Credentials API's generateAccessToken method at runtime to obtain a short-lived credential that the Cloud Storage JSON API will accept directly in the Authorization header. Which type of credential should the job request?
Create a service account HMAC key pair for the job to use.
Request an OIDC ID token with the Cloud Storage audience.
Generate a self-signed JWT signed with the service account's private key.
Request an OAuth 2.0 access token for the service account.
The generateAccessToken method of the IAM Credentials API returns a short-lived OAuth 2.0 access token (default lifetime about one hour). Cloud Storage accepts this token when it is supplied in the Authorization header with the Bearer scheme, so the job can upload objects without any additional token-exchange or signing logic.
An OIDC ID token conveys identity for custom back ends and is rejected by Cloud Storage. A self-signed JWT would meet Cloud Storage's authentication requirements, but creating it would require custom code to assemble and sign the JWT-contradicting the stated constraint. An HMAC key pair (or any other long-lived secret) violates the security policy against distributing persistent credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an OAuth 2.0 access token?
Open an interactive chat with Bash
How does the IAM Credentials API generateAccessToken method work?
Open an interactive chat with Bash
Why can't an OIDC ID token be used with Cloud Storage?
Open an interactive chat with Bash
What is the IAM Credentials API and how does it work?
Open an interactive chat with Bash
How is the OAuth 2.0 access token accepted by Cloud Storage and used for authentication?
Open an interactive chat with Bash
Why are OIDC ID tokens or self-signed JWTs not suitable for this use case?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .