GCP Professional Cloud Architect Practice Question
Your company uses Cloud Build to execute Terraform plans that provision GKE clusters and Cloud Storage buckets inside a production project. Security policy mandates that automation must follow the principle of least privilege and avoid unlimited permissions if the build pipeline is ever compromised. Which IAM approach best satisfies these requirements while still allowing Terraform to create and manage the necessary resources?
Grant the Cloud Build default service account the Project Owner role so Terraform can manage any resource it needs during the build.
Allow each developer's personal Google account the Service Account Token Creator (serviceAccountUser) role so they can impersonate the production service account when they trigger the build.
Create a dedicated service account for Terraform, grant it only the specific roles required to manage GKE and Cloud Storage, and configure Cloud Build to impersonate this service account when running terraform apply.
Generate a JSON key for a user-managed service account with the Project Editor role, store the key in Secret Manager, and have Cloud Build use the key to authenticate Terraform.
Creating a dedicated service account for Terraform and granting it only the specific predefined roles it needs (for example, roles/container.admin and roles/storage.admin) enforces least-privilege access. Configuring Cloud Build to impersonate that account lets the pipeline obtain short-lived, scoped credentials at runtime, eliminating the need to store long-lived keys and preventing the service from acquiring broader permissions than required.
Granting Owner or Editor on the project violates least-privilege by giving excessive rights. Allowing individual developers to impersonate the production account broadens the attack surface and also conflicts with separation-of-duties requirements. Storing a JSON key for a highly privileged account in Secret Manager still risks key leakage and does not restrict the account's capabilities. Therefore, the dedicated, narrowly scoped service account with impersonation is the most secure and compliant choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
How does service account impersonation work in GCP?
Open an interactive chat with Bash
Why is using a JSON key for a service account considered less secure?
Open an interactive chat with Bash
Why is using a dedicated service account with specific roles better than granting Project Owner or Editor roles?
Open an interactive chat with Bash
What is IAM impersonation, and how does it help improve security in this scenario?
Open an interactive chat with Bash
Why is avoiding long-lived JSON keys considered a security best practice?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .