GCP Professional Cloud Security Engineer Practice Question
A software team is building a cross-platform mobile app that lets Google Workspace users view and update objects in their own Cloud Storage buckets. Security has mandated the following:
The app must never embed or distribute long-lived Google credentials.
Each user must grant only the minimum necessary permissions.
Users must be able to withdraw the app's access at any time without changing their passwords. Which approach best satisfies all requirements?
Embed an API key restricted to Cloud Storage in the application code and rotate the key monthly.
Package a dedicated service account key with the mobile app and grant it the Storage Object Admin IAM role.
Implement the OAuth 2.0 authorization-code flow and request only the Cloud Storage read/write scope, storing the refresh token securely on the backend.
Use Workload Identity Federation with a public identity pool that maps each device ID to a Storage service account.
OAuth 2.0's three-legged (authorization-code) flow lets the user authenticate with Google, approve a specific set of scopes-for example, devstorage.read_write-and returns a short-lived (≈1-hour) access token plus an optional refresh token. No static credentials are shipped in the binary, and the user can later revoke the app's consent from their Google Account, instantly invalidating the refresh token. Service account keys or API keys are long-lived and hard to revoke per user, while Workload Identity Federation addresses non-human workloads, not per-user delegation in a consumer mobile app.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OAuth 2.0's authorization-code flow?
Open an interactive chat with Bash
Why is embedding long-lived credentials in the app a security risk?
Open an interactive chat with Bash
What is the difference between OAuth 2.0 and Workload Identity Federation?
Open an interactive chat with Bash
What is OAuth 2.0 authorization-code flow?
Open an interactive chat with Bash
What are the differences between a refresh token and an access token?
Open an interactive chat with Bash
How does OAuth 2.0 enhance security for mobile apps?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .