Your security team created a user-managed service account named [email protected] that already has permission to read sensitive BigQuery datasets. Data analysts need to run bq queries from Cloud Shell by impersonating this service account and obtaining short-lived OAuth2 tokens. Analysts must not be able to create or download key files for the account. Following least-privilege, which IAM role should you grant to the analyst group on reports-sa?
Grant roles/bigquery.dataViewer at the project level
Grant roles/iam.serviceAccountTokenCreator on reports-sa
Grant roles/iam.serviceAccountKeyAdmin on reports-sa
To let a principal impersonate a service account and mint short-lived credentials, you grant the Service Account Token Creator role on that service account. This role allows generating OAuth2 access tokens, OIDC ID tokens, or signed JWTs, but it does not permit creating, downloading, or managing long-lived key files. Service Account User only lets principals attach the service account to a resource such as a VM; it cannot mint tokens. Service Account Key Admin would allow the analysts to create and download key files, violating the requirement. BigQuery Data Viewer grants data-read privileges on datasets but does nothing to let them assume the service account's identity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service account in GCP?
Open an interactive chat with Bash
What is roles/iam.serviceAccountTokenCreator?
Open an interactive chat with Bash
What are short-lived credentials in GCP?
Open an interactive chat with Bash
What is impersonation in GCP and why is it used?
Open an interactive chat with Bash
What does the roles/iam.serviceAccountTokenCreator role do?
Open an interactive chat with Bash
Why is roles/iam.serviceAccountKeyAdmin not recommended in this scenario?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .