GCP Professional Cloud Architect Practice Question
Your organization is refactoring its CI pipeline that uses Cloud Build to compile code, build a container image, push it to a private Artifact Registry repository, and then trigger a Cloud Run deployment. The security team has banned the creation of any long-lived service-account keys. You decide to rely on service-account impersonation so that Cloud Build can write to Artifact Registry while following the principle of least privilege. Which IAM configuration best satisfies these requirements?
Configure Workload Identity Federation for Cloud Build and map the federation principal to a service account that has roles/artifactregistry.writer.
Generate a JSON key for a deployment service account, store the key in Secret Manager, and grant that service account roles/artifactregistry.writer.
Grant roles/artifactregistry.writer directly to the Cloud Build service account; no additional bindings are required.
Create a dedicated deployment service account, grant the Cloud Build service account the Service Account User role (roles/iam.serviceAccountUser) on it, and grant the deployment account roles/artifactregistry.writer on the target repository.
Service-account impersonation requires two distinct bindings. First, the Cloud Build service account ([email protected]) must be allowed to impersonate another service account; you grant this by assigning the Service Account User role (roles/iam.serviceAccountUser), which contains the iam.serviceAccounts.actAs permission, on the target service account. Second, that target (deployment) service account itself must have the permissions needed to push container images, which are provided by roles/artifactregistry.writer on the specific repository or project. Granting the writer role directly to the Cloud Build service account violates least privilege, creating a JSON key violates the key-ban requirement, and Workload Identity Federation is intended for external identities rather than Cloud Build jobs running within Google Cloud.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is service-account impersonation in GCP?
Open an interactive chat with Bash
Why is the principle of least privilege crucial in IAM configurations?
Open an interactive chat with Bash
What is Workload Identity Federation, and why is it not suitable for this setup?
Open an interactive chat with Bash
What is service-account impersonation in Google Cloud?
Open an interactive chat with Bash
Why is using long-lived service-account keys discouraged in Google Cloud?
Open an interactive chat with Bash
What is `roles/artifactregistry.writer`, and why is it needed?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .