Your organization's infosec team currently has the IAM role Security Reviewer (roles/iam.securityReviewer) on every project. A new compliance requirement states that these auditors must also be able to disable and delete service account keys, but they must not be able to create keys or modify the service accounts themselves. No single Google-managed (predefined) role exactly matches these needs. What should you do to satisfy the requirement while following the principle of least privilege?
Attach the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the auditors; it allows them to act on behalf of service accounts and therefore manage keys.
Create a project-level custom role that includes only iam.serviceAccountKeys.disable and iam.serviceAccountKeys.delete, then grant that role to the infosec group in addition to their existing Security Reviewer role.
Grant the infosec group the Service Account Admin role (roles/iam.serviceAccountAdmin) because it already contains all service-account-related permissions.
Add the predefined Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin) to the infosec group, since it is the least-privilege way to manage keys.
No existing predefined role grants only the two additional permissions needed (iam.serviceAccountKeys.disable and iam.serviceAccountKeys.delete) without also granting broader, unnecessary powers such as creating new keys or managing the entire service account. Granting a broader predefined role like Service Account Admin (roles/iam.serviceAccountAdmin) or Service Account Key Admin (roles/iam.serviceAccountKeyAdmin) would violate the principle of least privilege because both include permissions to create keys. StackÂing multiple predefined roles would still give excess privileges. The correct approach is to define a custom role that contains precisely the two missing permissions and then bind that role to the infosec group alongside their existing Security Reviewer role. This adds only the required capabilities and nothing more.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a custom role in GCP, and why create one?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important?
Open an interactive chat with Bash
What permissions do iam.serviceAccountKeys.disable and iam.serviceAccountKeys.delete provide in GCP?
Open an interactive chat with Bash
What is a custom role in GCP?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What are service account keys in GCP?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .