Google Cloud Associate Cloud Engineer — Question 300

You are writing a shell script that includes a few gcloud CLI commands to access some Google Cloud resources. You want to test the script in your local development environment with a service account in the most secure way. What should you do?

Answer options

• A. Generate an ID token for the service account. Use the token with the gcloud CLI commands.
• B. Enable service account impersonation, and use the gcloud config set command to use it by default.
• C. Download the service account key file and save it in a secure location. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the key file.
• D. Download the service account key file, and use it to generate an access token. Use the token with the gcloud CLI commands.

Correct answer: B

Explanation

The correct answer is B, as enabling service account impersonation allows you to use the permissions of the service account without exposing its key, which is a more secure approach. Option A involves generating an ID token, which may not be necessary for testing in this context. Option C is less secure since it requires handling the service account key file directly, and option D also involves using a key file to generate an access token, which poses security risks.