GCP Professional Cloud Architect Practice Question

You are designing IAM for a new analytics platform on Google Cloud. It runs a Cloud Run service that queries BigQuery. Requirements: 1) The service must authenticate to BigQuery without relying on developer credentials and should benefit from automatic key rotation. 2) A team of analysts whose membership changes frequently needs Viewer access to Cloud Logging logs. 3) The security team wants to apply IAM constraints to every employee account in one action. Which identity types satisfy requirements 1, 2, and 3 respectively?

Cloud Identity or Google Workspace domain; Service Account; individual Google Accounts
Google Account; Google Group; Service Account
Service Account; Google Group; Cloud Identity or Google Workspace domain
Service Account; individual Google Accounts; Google Group

Report Issue

Answer Description

A service account is the recommended identity for workloads such as Cloud Run services because it is not tied to a human user and its keys are automatically rotated by Google when you avoid long-lived user-managed keys. A Google Group is ideal for the analysts: IAM roles can be granted to the group once, and changes in membership are handled in the group, not in every policy. To cover every employee with a single IAM binding, you grant the role to the organization's Cloud Identity or Google Workspace domain principal (domain:example.com), which represents all accounts in that domain. The other options mis-apply identity types: individual Google Accounts should not be embedded in code; service accounts are not meant to group humans; and Google Groups do not automatically include all domain users.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.