GCP Professional Cloud Security Engineer Practice Question

Your organization keeps its production resources in project "prod-123" and runs all build pipelines in project "cicd-456". Security policy bans any long-lived service-account keys. A new pipeline executed by the Cloud Build default service account ([email protected]) must deploy updated Cloud Run services in prod-123. Engineers plan to invoke gcloud with the flag --impersonate-service-account=prod-deployer@prod-123.iam.gserviceaccount.com. Which set of IAM configuration changes will enable the deployment while honoring the security policy and the principle of least privilege?

In cicd-456, grant the Cloud Build service account roles/iam.serviceAccountUser on prod-deployer, and directly grant Cloud Build Cloud Run Admin in prod-123; prod-deployer needs no additional roles.
In prod-123, grant the Cloud Build service account the role roles/iam.serviceAccountTokenCreator on the prod-deployer service account, and grant the prod-deployer service account only the required Cloud Run deployment roles within prod-123.
Create a JSON key for the prod-deployer service account, store it in Secret Manager, and allow the Cloud Build service account to access the secret; ensure prod-deployer has Cloud Run Admin in prod-123.
Place both projects inside a VPC Service Controls perimeter and grant the Cloud Build service account roles/iam.serviceAccountAdmin on prod-deployer; no further role bindings are required.

Report Issue

Answer Description

Service account impersonation requires two separate permission scopes: (1) the calling principal must be able to mint short-lived tokens for the target service account, and (2) the target service account must hold the permissions necessary to operate on the destination resources. Granting the Cloud Build service account the role roles/iam.serviceAccountTokenCreator on the prod-deployer service account lets it obtain temporary credentials without creating or using any long-lived key files. The prod-deployer account itself, not the Cloud Build account, must then be granted the narrowly scoped roles (for example, Cloud Run Admin or specific deploy roles) inside the production project so that the impersonated token can deploy the service. Alternatives that rely on roles/iam.serviceAccountUser, service-account keys, or broader administrator roles either cannot mint tokens, violate the key-management mandate, or give unnecessary privilege, so they do not satisfy the stated requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.