GCP Professional Cloud Security Engineer Practice Question

A security engineering team needs to build an automated tool that runs in Cloud Run and synchronizes a nightly CSV stored in Cloud Storage with Cloud Identity. The container must add any new contractor accounts, suspend accounts that were removed from the file, and ensure every active contractor is a member of the Google Group [email protected]. The solution must avoid storing long-lived human credentials inside the image or environment and must follow the principle of least privilege by granting only the permissions required for user and group administration. Which design meets these requirements?

Generate an OAuth 2.0 client ID for the Cloud Run service, bake a long-lived refresh token into the container image, and call the Cloud Identity API directly to create and suspend users and modify group membership.
Give the Cloud Run service account the roles/iam.serviceAccountAdmin role on the organization and have the container run gcloud iam service-accounts commands to create and delete Cloud Identity users and groups.
Create a dedicated service account, enable domain-wide delegation for it, grant it the Cloud Identity User Management Admin and Groups Admin roles in the Admin console, deploy the Cloud Run service to run as this account, and invoke the Admin SDK Directory API via Application Default Credentials to manage users and groups.
Store a super administrator's username and password in Secret Manager; have the Cloud Run service fetch them at runtime and use headless browser automation to update users and groups through the Google Admin UI.

Report Issue

Answer Description

The Admin SDK Directory API is the programmatic interface for creating, updating, and suspending Cloud Identity or Google Workspace users, as well as managing Google Groups and their memberships. A Cloud Run service can authenticate to Google APIs with the short-lived OAuth 2.0 access tokens that Application Default Credentials (ADC) obtains automatically for its attached service account, so no static secrets are embedded in code or configuration. Because the Directory API acts on behalf of a domain administrator, the service account must be granted domain-wide delegation and receive only the specific administrator roles needed-in this case Cloud Identity User Management Admin (to create and suspend users) and Groups Admin (to modify group membership). The other options either rely on long-lived human credentials, misuse IAM roles that do not control Cloud Identity users and groups, or embed static OAuth refresh tokens in the container, all of which violate the security requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.