Your team is deploying a container on Cloud Run that must publish messages to Pub/Sub. The container code runs unattended and must authenticate without embedding user credentials. Central security mandates that the identity used can be tracked in IAM, rotates automatically, and can be limited to only the Pub/Sub Publisher role. Which identity design best meets these requirements when the container calls the Pub/Sub API?
Create a separate Gmail account for the application, enable 2-step verification, generate an OAuth token, and store the token as a secret in Cloud Run.
Create a dedicated service account, grant it the Pub/Sub Publisher role, and set it as the runtime service account for the Cloud Run service.
Let the Cloud Run service inherit the personal Google account of the engineer who deploys it, since that user already has Editor permissions.
Grant the Pub/Sub Publisher role to a Google Group of developers and configure the container to authenticate using the group's email address at runtime.
Service accounts are special non-human Google Cloud identities meant for applications and compute workloads. When you configure Cloud Run to run as a user-managed service account, the platform automatically injects short-lived access tokens for that account, so the code never stores long-lived secrets. The service account appears in Cloud Audit Logs, can be granted just the Pub/Sub Publisher role, and its keys are rotated by Google. Using a personal Google account, a Google Group, or a stand-alone Gmail account either violates the principle of least privilege, embeds static credentials, or represents a human identity, none of which satisfies the stated security requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service account in Google Cloud Platform (GCP)?
Open an interactive chat with Bash
How does Cloud Run integrate with service accounts?
Open an interactive chat with Bash
Why is the Pub/Sub Publisher role necessary in this scenario?
Open an interactive chat with Bash
What is a service account in GCP?
Open an interactive chat with Bash
How does IAM ensure the principle of least privilege?
Open an interactive chat with Bash
What makes Cloud Run service accounts ideal for authentication?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .