GCP Professional Cloud Security Engineer Practice Question

Your organization relies on Cloud Identity and enforces least-privilege access. Human Resources produces a daily list of employees whose status has changed to TERMINATED. You have been asked to deploy an automated Cloud Run service that reads this list, suspends the user accounts, and removes them from every Google Group. The job must run unattended, avoid long-lived credentials such as stored passwords or service-account keys, and ensure each change is attributable to an identifiable principal in Cloud Audit Logs. Which approach best satisfies the requirements?

Create a dedicated service account with domain-wide delegation and only user and group admin privileges. Grant the Cloud Run runtime service account the iam.serviceAccountTokenCreator role on it, then have the workload impersonate the delegated account and invoke the Admin SDK Directory API.
Develop the Cloud Run container to use a JSON key for a Super Admin user's service account stored in Secret Manager, then call the Admin SDK Directory API with that key.
Invoke the Cloud Identity API from Cloud Run using an API key generated in the Google Cloud console; pass the key in each request to disable users and update groups.
Assign the Super Admin role directly to the Cloud Run runtime service account and call the Directory API with its default access token obtained from the metadata server.

Report Issue

Answer Description

The Admin SDK Directory API is the correct interface for programmatically suspending users and managing their group memberships. To invoke it securely from Cloud Run you should:

Create a dedicated service account in Cloud Identity, enable domain-wide delegation on it, and authorize only the Directory API scopes needed for user and group administration.
Grant that service account the minimum delegated admin roles (for example User Management Admin and Groups Admin) so the actions it performs are scoped and auditable to that principal.
Configure the Cloud Run service to run under its own runtime service account and grant that account the iam.serviceAccountTokenCreator role on the delegated service account. At runtime the code uses Application Default Credentials to impersonate (via the IAM Credentials API) the delegated service account, obtaining short-lived access tokens to call the Directory API.

This design eliminates long-lived keys, keeps permissions narrowly scoped, and records every impersonated call in Cloud Audit Logs. The other options either rely on static keys, insecure API keys, or assign overly broad Super Admin privileges, all of which violate the stated constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.