GCP Professional Cloud Security Engineer Practice Question
Your organization has created a workforce identity pool called europe-contractors and an OIDC workforce identity provider that trusts Azure AD. The Azure AD application issues ID tokens with claims such as sub, oid, email, and upn. Contractors can authenticate to Azure AD, but when they run gcloud auth login with the new pool, the Security Token Service returns an error stating "subject is empty." Which Google Cloud configuration change will resolve this issue?
Assign the iam.serviceAccountTokenCreator role to the Azure AD enterprise application on the workforce identity pool.
Delete the existing workforce identity provider and recreate it as a workload identity provider that supports service account impersonation.
Add an attribute mapping in the workforce identity provider that maps the Azure AD oid claim to the reserved attribute google.subject.
Use Google Cloud Directory Sync to import the contractors' Azure AD accounts into Cloud Identity so google.subject can be resolved.
The Security Token Service requires every federated assertion to populate the reserved attribute google.subject; without it, the token exchange fails with a "subject is empty" error. In an OIDC workforce identity provider you satisfy this requirement by creating an attribute mapping that assigns one of the incoming claims-commonly the Azure AD oid or sub claim-to google.subject. Synchronizing Azure AD users with Cloud Identity is unnecessary because workforce identity federation purposefully avoids account duplication. Replacing the provider with a workload identity provider is irrelevant; the problem is in attribute mapping, not provider type. Granting iam.serviceAccountTokenCreator to the Azure AD application affects impersonation, but it does not populate google.subject, so the error would persist.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of the `google.subject` attribute in workforce identity federation?
Open an interactive chat with Bash
What is the difference between workforce identity federation and workload identity federation?
Open an interactive chat with Bash
Why is an attribute mapping necessary for workforce identity providers?
Open an interactive chat with Bash
What is the role of `google.subject` in workforce identity federation?
Open an interactive chat with Bash
What is an OIDC workforce identity provider?
Open an interactive chat with Bash
How do attribute mappings work in Google Cloud identity federation?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .