GCP Professional Cloud Architect Practice Question
In a hub-and-spoke landing-zone on Google Cloud, a centralized Cloud Build pipeline in the hub project must run gcloud commands that create BigQuery datasets and modify IAM policies in several spoke projects. The security team prohibits distributing long-lived user credentials or service-account keys, and requires that all actions be least-privilege and fully auditable. Which approach allows the build steps to authenticate to each spoke project while complying with these constraints?
Grant the Cloud Build service account Service Account Token Creator on dedicated deployment accounts in each spoke project and execute gcloud commands with the --impersonate-service-account flag.
Store JSON key files for deployment service accounts in Secret Manager and set GOOGLE_APPLICATION_CREDENTIALS to the extracted key during the build.
Download private keys for the Compute Engine default service account from each spoke project and specify them with the --account flag in successive gcloud commands.
Run gcloud auth login with an administrator's user account before the build and cache the resulting credentials in the build workspace for reuse.
Granting the Cloud Build service account the Service Account Token Creator role on deployment accounts in each spoke project lets Cloud Build obtain short-lived OAuth tokens on demand via the gcloud --impersonate-service-account flag. The build runs with Application Default Credentials, never needs to download or store private keys, and each impersonated call is logged in Cloud Audit Logs for traceability. Storing key files in Secret Manager or encoded build variables still violates the no-keys policy. Using cached user credentials would both break the key prohibition and remove clear audit trails. Downloading keys for the Compute Engine default service accounts likewise distributes long-lived secrets and grants overly broad permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Service Account Token Creator role?
Open an interactive chat with Bash
Why is --impersonate-service-account considered secure and auditable?
Open an interactive chat with Bash
Why are long-lived service account keys discouraged?
Open an interactive chat with Bash
What is the Service Account Token Creator role in Google Cloud?
Open an interactive chat with Bash
How does the --impersonate-service-account flag work in gcloud commands?
Open an interactive chat with Bash
What is the difference between long-lived credentials and short-lived OAuth tokens?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .