Your project contains a user-managed service account named analytics-sa that already has the Storage Object Viewer role on a Cloud Storage bucket where job outputs are written. A data analyst, [email protected], tries to launch a Dataflow job configured to run as analytics-sa but immediately receives the error: "principal is not authorized to actAs the requested service account." You must resolve the issue while following least-privilege practices. Which IAM change should you make?
Grant [email protected] the Storage Object Viewer (roles/storage.objectViewer) role on analytics-sa.
Grant analytics-sa the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) role on the project.
Grant analytics-sa the Editor (roles/editor) role on the project.
Grant [email protected] the Service Account User (roles/iam.serviceAccountUser) role on analytics-sa.
The error shows that Alice lacks permission to impersonate the service account. That permission is provided by the iam.serviceAccounts.actAs privilege, which is included in the Service Account User role. Granting Alice that role on the analytics-sa service account lets her attach or impersonate it when starting the job. Granting roles to the service account itself (such as Editor or Token Creator) would change what the service account has, not what Alice can do on it, and granting Alice Storage Object Viewer on the account is invalid and would not provide actAs permission.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the Service Account User role (roles/iam.serviceAccountUser) allow a user to do?
Open an interactive chat with Bash
What is the difference between granting permissions to a service account vs. granting permissions to a user on a service account?
Open an interactive chat with Bash
What does 'least-privilege practices' mean in IAM role assignments?
Open an interactive chat with Bash
What does 'actAs' permission mean in GCP IAM?
Open an interactive chat with Bash
What is the least-privilege principle in IAM roles?
Open an interactive chat with Bash
What role does the Service Account User (roles/iam.serviceAccountUser) provide?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .