Google Cloud Professional Cloud DevOps Engineer — Question 160

You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead. What should you do?

Answer options

• A. Apply the constraints/iam.disableServiceAccountKevCreation constraint to the organization.
• B. Use custom versions of predefined roles to exclude all iam.serviceAccountKeys.* service account role permissions.
• C. Apply the constraints/iam.disableServiceAccountKeyUpload constraint to the organization.
• D. Grant the roles/iam.serviceAccountKeyAdmin IAM role to organization administrators only.

Correct answer: A

Explanation

The correct answer is A, as applying the constraints/iam.disableServiceAccountKeyCreation constraint prevents the creation of JSON service account keys altogether, thus eliminating the associated risks. Option B does not completely remove the risk since it only modifies roles and does not prevent key creation. Option C addresses uploading keys but does not stop their creation, and option D restricts who can manage keys but does not eliminate the inherent risks of long-lived keys.