GCP Professional Cloud Architect Practice Question

Your security team wants to grant an external automation system running in GitHub Actions the ability to deploy container images to a production Cloud Run service that resides in project "prod-app," but nothing else in the project. The automation already authenticates with GitHub's OIDC token. You create a workload identity pool and provider in the prod-app project. Which approach best satisfies least privilege while eliminating long-lived service account keys?

Bind the Cloud Run Admin predefined role to the GitHub workload identity principal at the project level.
Export a JSON key for a dedicated service account with the Cloud Run Admin role and store it as a GitHub Actions secret.
Allow the GitHub workload identity principal to impersonate a dedicated service account that has the Cloud Run Developer role on the specific Cloud Run service.
Create a custom role containing only run.services.invoke and bind it to the GitHub principal at the organization level.

Report Issue

Answer Description

Granting the GitHub principal permission to impersonate (generate short-lived tokens for) a dedicated service account avoids persistent keys and allows fine-grained scoping. By assigning the Cloud Run Developer predefined role only on the target service, the principal can deploy revisions but cannot change IAM policies or access other resources. Binding the role directly at the project level (Cloud Run Admin or Developer) would provide broader access than necessary. Storing a JSON key contradicts the requirement to avoid long-lived credentials. Granting only run.services.invoke at the organization level would not allow deployments, and assigning it at the top of the hierarchy violates least-privilege design.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.