Your company stores sensitive data in a Cloud Storage bucket that is accessible only to a production microservice through its own service account. During an incident, the on-call engineer must run a one-time gsutil cp command from their laptop using the microservice's identity. Security policy forbids distributing long-lived service-account keys and must keep an audit trail showing which human acted. Which approach meets all requirements?
Grant the engineer roles/iam.serviceAccountTokenCreator on the microservice's service account and instruct them to run gcloud auth print-access-token --impersonate-service-account before using gsutil.
Add the engineer directly to the bucket IAM policy with the Storage Object Viewer role for the duration of the incident, then remove the binding afterward.
Create a new JSON key for the service account, store it in Secret Manager, and have the engineer retrieve the key and set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Give the engineer roles/iam.serviceAccountUser on the service account so they can download its existing key from the Cloud Console when needed.
Impersonation lets an authenticated user obtain a short-lived OAuth 2.0 token that represents the service account. Granting the engineer the Service Account Token Creator role on the microservice's service account authorizes them to request such tokens with the gcloud --impersonate-service-account flag. No key files are created, so there is no long-lived credential to leak, and Cloud Audit Logs record that the engineer generated and used the token. Downloading or distributing JSON keys (other choices) violates the ban on long-lived credentials, while temporarily granting the engineer direct bucket access bypasses the service-account boundary and provides no trace of acting as the service account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is service account impersonation in GCP?
Open an interactive chat with Bash
Why is the Service Account Token Creator role important in this scenario?
Open an interactive chat with Bash
How does Cloud Audit Logs help in securing access in GCP?
Open an interactive chat with Bash
What is service account impersonation?
Open an interactive chat with Bash
What does the Service Account Token Creator role do?
Open an interactive chat with Bash
How do Cloud Audit Logs track service account impersonation?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .