Google Cloud Professional Cloud DevOps Engineer — Question 93

A third-party application needs to have a service account key to work properly. When you try to export the key from your cloud project, you receive an error: “The organization policy constraint iam.disableServiceAccounKeyCreation is enforced.” You need to make the third-party application work while following Google-recommended security practices.

What should you do?

Answer options

• A. Enable the default service account key, and download the key.
• B. Remove the iam.disableServiceAccountKeyCreation policy at the organization level, and create a key.
• C. Disable the service account key creation policy at the project's folder, and download the default key.
• D. Add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project, and create a key.

Correct answer: D

Explanation

The correct choice is D because it allows you to comply with the existing organization policy while enabling the creation of service account keys specifically for your project. Option A does not resolve the policy issue, and options B and C suggest actions that could violate organizational policy and best practices for security.