Google Cloud Professional Cloud Developer — Question 91

You have written a Cloud Function that accesses other Google Cloud resources. You want to secure the environment using the principle of least privilege. What should you do?

Answer options

• A. Create a new service account that has Editor authority to access the resources. The deployer is given permission to get the access token.
• B. Create a new service account that has a custom IAM role to access the resources. The deployer is given permission to get the access token.
• C. Create a new service account that has Editor authority to access the resources. The deployer is given permission to act as the new service account.
• D. Create a new service account that has a custom IAM role to access the resources. The deployer is given permission to act as the new service account.

Correct answer: D

Explanation

Option D is correct because it ensures that the service account is granted only the permissions necessary to access specific resources through a custom IAM role, maintaining the principle of least privilege. Options A and C provide Editor access, which is too broad and does not adhere to least privilege. Option B does not allow the deployer to act as the service account, limiting its functionality compared to option D.