GCP Professional Cloud Security Engineer Practice Question
Your organization's Cloud Build runs in the devops project and deploys workloads to a production GKE cluster located in the prod project. Company policy forbids the storage or distribution of any user-managed service-account keys. During each build, the pipeline must obtain a short-lived OAuth 2.0 access token for the existing service account [email protected], and Cloud Audit Logs must show both the identity that triggered the build and the impersonated service account. Which IAM configuration best satisfies these requirements?
Configure Workload Identity Federation for Cloud Build with an external AWS provider so builds can exchange temporary AWS credentials for Google Cloud tokens linked to prod-deployer@.
Create a user-managed key for prod-deployer@, encrypt it with Cloud KMS, store it in Secret Manager, and allow Cloud Build to retrieve and use the key during deployments.
Grant the Cloud Build service account the Service Account User role (roles/iam.serviceAccountUser) on prod-deployer@ and also grant it the Kubernetes Engine Admin role on the prod project.
Grant the Cloud Build service account the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) on prod-deployer@ and assign the required GKE roles directly to prod-deployer@ in the prod project.
Granting the Cloud Build service account the Service Account Token Creator role on prod-deployer@ enables it to call the IAM Credentials API to mint short-lived access tokens that represent the target service account. Because no user-managed key is created or stored, the policy banning long-lived keys is honored. When a build impersonates a service account through the Token Creator permission, Cloud Audit Logs record both the calling principal (the Cloud Build service account, which is itself linked to the user who started the build) and the impersonated account, meeting the auditing requirement. Granting only Service Account User is insufficient for token creation, while generating and storing a key or using an unrelated Workload Identity Federation setup would violate policy or add unnecessary complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Service Account Token Creator role?
Open an interactive chat with Bash
How does Cloud Audit Logs track impersonation?
Open an interactive chat with Bash
Why is storing a user-managed key considered a security risk?
Open an interactive chat with Bash
What is the Service Account Token Creator role and why is it necessary here?
Open an interactive chat with Bash
How does Cloud Audit Logs capture both the triggering identity and the impersonated service account?
Open an interactive chat with Bash
Why is creating and storing a user-managed key discouraged in this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .