Your CI pipeline runs as the user-managed service account [email protected] in Project A. It needs to deploy a new revision to Cloud Run in Project B by impersonating the existing service account [email protected]. Security policy prohibits creating or storing long-lived service account keys. Which single IAM binding provides the least privilege required for the pipeline to obtain short-lived credentials and act as deploy-sa?
Generate a JSON key for deploy-sa and store it securely in Secret Manager for the pipeline to use.
Grant build-sa the role Service Account User (roles/iam.serviceAccountUser) on deploy-sa.
Grant build-sa the basic Owner role on Project B.
Grant build-sa the role Service Account Token Creator (roles/iam.serviceAccountTokenCreator) on deploy-sa.
Service account impersonation relies on the IAM permission iam.serviceAccounts.getAccessToken (and related create-token permissions). All of these permissions are bundled in the predefined role Service Account Token Creator (roles/iam.serviceAccountTokenCreator). Granting that role on the target service account lets the calling principal mint short-lived OAuth 2.0 access tokens and use them to call Google Cloud APIs exactly as the impersonated account. Granting Owner on the project is far broader than necessary, Service Account User only allows attaching a service account to resources but does not permit minting tokens, and generating a key contradicts the stated security policy against long-lived keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is service account impersonation in GCP?
Open an interactive chat with Bash
Why is iam.serviceAccountTokenCreator role appropriate for this task?
Open an interactive chat with Bash
Why are long-lived service account keys discouraged?
Open an interactive chat with Bash
What does 'service account impersonation' mean in Google Cloud?
Open an interactive chat with Bash
What is the role 'Service Account Token Creator' used for?
Open an interactive chat with Bash
Why are long-lived service account keys considered insecure?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .