Your organization schedules a Cloud Functions job that writes data to a Cloud Storage bucket using a downloaded JSON service-account key stored in an environment variable. The security team wants to reduce the blast radius if credentials are leaked but still keep the job fully automated and non-interactive. What should you do?
Move the JSON key into Secret Manager and have the function read it at startup instead of from an environment variable.
Create a new service-account key and schedule automatic key rotation every 90 days with Cloud Scheduler.
Refactor the function to call the IAM Credentials API to impersonate the service account and retrieve a short-lived access token at each invocation, then delete the existing service-account key.
Encrypt the JSON key with Cloud KMS and rotate the encryption key every 30 days.
Modify the Cloud Function so that, at runtime, it calls the IAM Credentials API to impersonate the target service account and obtain a short-lived OAuth 2.0 access token for the Cloud Storage scope. Each token is valid for about one hour and contains no reusable private key material, so any leaked credential rapidly becomes useless. After verifying the new workflow, delete the existing service-account key files to eliminate the long-lived private key. Merely storing or encrypting the JSON key, or rotating it on a schedule, still leaves a long-lived credential that could be abused if exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the IAM Credentials API, and how does it work for impersonating service accounts?
Open an interactive chat with Bash
Why are short-lived tokens considered more secure than long-lived credentials like service-account keys?
Open an interactive chat with Bash
How can you delete existing service-account keys securely in Google Cloud Platform?
Open an interactive chat with Bash
What is the IAM Credentials API and how does it work?
Open an interactive chat with Bash
How do short-lived OAuth 2.0 access tokens improve security?
Open an interactive chat with Bash
Why should service-account keys be deleted after refactoring?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .