A developer receives the error PERMISSION_DENIED: caller does not have permission to generate access tokens for that service account. You must grant the least-privilege IAM role so the developer can impersonate the service account but cannot manage or attach it to other resources. Which role should you grant on the build-runner service account?
Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
Compute Engine Service Agent (roles/compute.serviceAgent)
Service Account User (roles/iam.serviceAccountUser)
Service Account Admin (roles/iam.serviceAccountAdmin)
Impersonating a service account requires the caller to create short-lived OAuth 2.0 access tokens on behalf of that account. The only role that grants the iam.serviceAccounts.getAccessToken permission without broader administrative capabilities is Service Account Token Creator (roles/iam.serviceAccountTokenCreator).
Service Account User allows attaching a service account to a resource but cannot mint access tokens, so impersonation still fails.
Service Account Admin grants full management of the account, exceeding least-privilege.
Compute Engine Service Agent is a Google-managed role unrelated to impersonation.
Therefore, granting Service Account Token Creator on the specific account lets the developer run the command successfully while limiting scope to token creation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the IAM role 'Service Account Token Creator' allow you to do?
Open an interactive chat with Bash
Why can't 'Service Account User' be used for impersonation?
Open an interactive chat with Bash
How does 'Service Account Admin' exceed least-privilege principles?
Open an interactive chat with Bash
What is a Service Account Token Creator role in GCP?
Open an interactive chat with Bash
What is the difference between Service Account User and Service Account Token Creator roles?
Open an interactive chat with Bash
Why is least-privilege access important when assigning IAM roles?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .