GCP Professional Cloud Architect Practice Question
ExampleSoft must give an external penetration tester, Alice, temporary read-only access to Cloud Logging data in the production project. She is outside your Google Workspace, and you are not permitted to create service accounts or export logs. Which identity type should receive the Logs Viewer role (roles/logging.viewer) to uphold least-privilege principles and maintain good credential hygiene?
Add Alice to a new Google Group in ExampleSoft's domain and assign the role to that group.
Create a dedicated service account, generate a JSON key, and give the key file to Alice.
Grant the role to Alice's personal Google Account (for example, [email protected]).
Configure workload identity federation so Alice receives temporary credentials mapped to an external principal.
A personal Google Account represents an individual human user and can be granted IAM roles directly. Granting the Logs Viewer role to Alice's Gmail-based Google Account lets her authenticate interactively with her own credentials, leverage Google's security features such as 2-Step Verification, and avoids distributing long-lived shared secrets. Service accounts are intended for non-human workloads, and sharing their keys violates best practices. A Google Group is primarily for aggregating multiple principals, not for a single external tester, and would still require managing membership. Workload identity federation issues short-lived credentials for external workloads, not for interactive console sessions by a human tester, and adds unnecessary complexity for a short engagement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM in GCP and why is it important?
Open an interactive chat with Bash
What is a Google Group and how is it used in GCP IAM?
Open an interactive chat with Bash
What is workload identity federation and when should it be used?
Open an interactive chat with Bash
What is IAM in GCP?
Open an interactive chat with Bash
Why is a personal Google Account considered secure for granting temporary access?
Open an interactive chat with Bash
What are the drawbacks of using service accounts for external testers?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .