GCP Professional Cloud Architect Practice Question
A retail analytics company is containerizing a Python service and deploying it to Cloud Run in multiple regions. The service must query a specific BigQuery dataset at runtime. Security has issued two hard requirements:
No long-lived secrets such as user credentials, refresh tokens, or downloadable key files may be stored in the container image or passed through environment variables.
Each running instance must have only the permissions required to read from the target dataset. Developers want to keep code changes minimal and rely on standard Google libraries for authentication. Which implementation best meets all of these requirements?
Generate an API key restricted to BigQuery, limit it to the Cloud Run egress IP ranges, and pass the key in the Authorization header of every request to BigQuery.
Create an IAM user account, generate an OAuth 2.0 refresh token, store the token in Secret Manager, and have the container exchange it for access tokens when calling BigQuery via the REST API.
Assign the Cloud Run service a dedicated service account with the BigQuery Data Viewer role on the required dataset, deploy the service to run under that account, and use the Python Cloud Client Library so the code relies on Application Default Credentials provided automatically at runtime.
Store a service-account JSON key file in a private Cloud Storage bucket, mount the file into the container at startup, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable so the code can authenticate to BigQuery.
Granting the Cloud Run service its own dedicated service account with the BigQuery Data Viewer role on the target dataset satisfies the principle of least privilege. Inside Cloud Run, the Google Cloud metadata server makes short-lived OAuth 2.0 access tokens for the attached service account available on demand. The Python Cloud Client Library, using Application Default Credentials (ADC), automatically retrieves these tokens without embedding any static keys or refresh tokens. No additional authentication code is required.
The other approaches violate one or more stated constraints:
Storing a user's OAuth refresh token in Secret Manager introduces a long-lived secret and does not map cleanly to dataset-level IAM.
API keys cannot authorize BigQuery queries and do not provide fine-grained IAM controls.
Copying a service-account JSON key file into Cloud Storage still creates a long-lived secret that must be managed and rotated.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service account in Google Cloud?
Open an interactive chat with Bash
What are Application Default Credentials (ADC) in Google Cloud?
Open an interactive chat with Bash
How does the principle of least privilege apply to IAM roles?
Open an interactive chat with Bash
What is a service account in Google Cloud?
Open an interactive chat with Bash
What are Application Default Credentials (ADC) in Google Cloud?
Open an interactive chat with Bash
How does the principle of least privilege apply to IAM roles in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .