GCP Professional Cloud Security Engineer Practice Question
Your organization is starting a three-month project with an external research institute. The researchers authenticate with their own Azure Active Directory tenant, but they need temporary access to invoke Cloud Run services and read specific Cloud Storage buckets in your Google Cloud project. Company policy forbids creating Google accounts for them and bans distributing any long-lived credentials. Which approach best satisfies all requirements while following least-privilege practices?
Generate user-managed keys for a dedicated service account that has the required IAM roles and distribute the keys to the institute's researchers for the duration of the project.
Use Google Cloud Directory Sync to import the institute's Azure AD users into Cloud Identity and enable SAML-based single sign-on for them.
Create a workforce identity pool that trusts the institute's Azure AD as an OIDC provider, map researcher groups to narrowly scoped IAM roles on the project, and let researchers obtain short-lived Google credentials on demand.
Provision temporary Google Workspace accounts for the researchers, place them in a group with the necessary IAM roles, and enforce two-step verification on those accounts.
Workforce Identity Federation lets administrators create a workforce identity pool that trusts an external IdP such as Azure AD (via OIDC or SAML). Researchers sign in to Azure AD, then exchange the resulting security token for short-lived Google Cloud credentials that map to carefully scoped IAM roles on the target project. Because no Google accounts or user-managed service-account keys are created, the solution aligns with the mandate to avoid provisioning accounts and long-lived secrets. Google Cloud Directory Sync and Google Workspace accounts would still create identities in Cloud Identity, while handing out service-account keys would violate the ban on persistent credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workforce Identity Federation?
Open an interactive chat with Bash
How does OIDC integrate with Google Cloud?
Open an interactive chat with Bash
What are IAM roles and how do they ensure least-privilege access?
Open an interactive chat with Bash
What is Workforce Identity Federation?
Open an interactive chat with Bash
How does OIDC work in Workforce Identity Federation?
Open an interactive chat with Bash
What are short-lived credentials, and why are they important?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .