Google Cloud Professional Cloud Security Engineer — Question 19

You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices.
What should you do?

Answer options

• A. Create a new Service account, and give all application users the role of Service Account User.
• B. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
• C. Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
• D. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

Correct answer: D

Explanation

The correct answer is D because granting G Suite domain-wide delegation to a service account allows the application to act on behalf of users without needing their credentials, which aligns with Google's best practices. Options A and B do not provide the necessary impersonation capabilities, and option C relies on a G Suite Admin account, which does not meet the requirement of not using current user credentials.