Back to Google Cloud Associate Cloud Engineer (GCP ACE)

Configuring Access and Security

Manage IAM policies, service accounts, and implement security best practices (~20% of exam).

Covers viewing and creating IAM policies, managing role types (basic, predefined, custom), creating and managing service accounts, implementing least privilege, service account impersonation, and short-lived credentials.
5 minutes 5 Questions

Configuring Access and Security in Google Cloud Platform (GCP) is a critical responsibility for Cloud Engineers, encompassing identity management, resource protection, and compliance enforcement. **Identity and Access Management (IAM)** forms the foundation of GCP security. IAM allows you to defin…

Concepts covered: Creating service accounts, Using service accounts in IAM policies, Managing IAM permissions of a service account, Managing service account impersonation, Creating short-lived service account credentials, Viewing IAM policies, Creating IAM policies, Managing IAM role types, Basic IAM roles, Predefined IAM roles, Custom IAM roles, Defining custom IAM roles, Service accounts with minimum permissions, Assigning service accounts to resources, Managing short-lived service account credentials, Using service accounts with GKE applications

Test mode:
Start practice test
GCP ACE - Configuring Access and Security Example Questions

Test your knowledge of Configuring Access and Security

Question 1

What is the purpose of the 'etag' value returned when viewing an IAM policy using gcloud commands?

Correct Answer: To enable optimistic concurrency control when updating policies

The etag value enables optimistic concurrency control by ensuring that IAM policy updates only succeed if the policy hasn't been modified by another operation since it was retrieved.

Using etag for audit tracking is incorrect as audit logs have separate mechanisms. Etag doesn't verify integrity during replication as it changes with each policy modification. While etag does change when policies are updated, its primary purpose isn't timestamping but preventing concurrent modification conflicts.

Key concept: IAM policy concurrency control mechanisms.

Question 2

A software consulting firm has been contracted to help a client migrate their on-premises data warehouse to BigQuery. The client's GCP project contains a service account 'bq-admin@client-project.iam.gserviceaccount.com' with BigQuery Admin permissions. The consulting firm's engineers work from their own GCP project and use service account 'consultant@consulting-firm.iam.gserviceaccount.com'. The client wants consultants to perform BigQuery schema changes during the migration, but requires that all operations appear in audit logs with both the consultant's identity and the target service account. The client also wants to avoid granting BigQuery permissions to the consultant's service account. After granting the appropriate impersonation role, what additional step must the consulting firm's engineers take to successfully execute BigQuery commands as the client's service account?

Correct Answer: Use the gcloud --impersonate-service-account flag or generate access tokens using the IAM credentials API to obtain short-lived credentials for the target service account

The correct answer involves using the gcloud --impersonate-service-account flag or generating access tokens using the IAM credentials API to obtain short-lived credentials for the target service account.

When service account impersonation is properly configured (with the Service Account Token Creator role granted to the consultant's service account on the client's bq-admin service account), the consultant must actively invoke the impersonation mechanism to execute commands as the target service account.

There are two primary ways to do this:
1. Using the --impersonate-service-account flag with gcloud commands, for example: gcloud bq --impersonate-service-account=bq-admin@client-project.iam.gserviceaccount.com
2. Programmatically generating short-lived access tokens using the IAM credentials API (generateAccessToken method)

Both methods satisfy the requirement that audit logs show both identities - the original caller (consultant) and the impersonated service account (bq-admin).

The option suggesting downloading a service account key file is incorrect because it would bypass the impersonation requirement entirely. Using key files means the consultant would authenticate directly as the client's service account, and audit logs would not show the consultant's identity. Additionally, key files are a security risk and should be avoided.

The option about Workload Identity Federation pools is incorrect because Workload Identity Federation is designed for federating external identities (like AWS or Azure identities) into GCP, not for cross-project service account impersonation within GCP.

The option mentioning cross-project service account binding with Token Generator permissions describes granting the impersonation role (which the question states has already been done as a prerequisite), not the additional step needed to actually perform the impersonation. This is a necessary setup step but not the operational step required to execute commands.

Question 3

A software consultancy is building a data analytics platform on Google Cloud. They have a Cloud Run service that generates PDF reports and stores them in Cloud Storage. The service uses sa-reports@analytics-proj.iam.gserviceaccount.com as its identity. A new requirement states that a separate batch processing job running on Compute Engine (using sa-batch@analytics-proj.iam.gserviceaccount.com) must be able to create signed URLs for the PDF files stored by the Cloud Run service. The signed URLs need to be generated using the reports service account's credentials so that URL recipients can access files under that identity's permissions. When the batch job attempts to sign URLs using the reports service account, it fails with an authorization error. What IAM configuration is needed to enable this functionality?

Correct Answer: Grant roles/iam.serviceAccountTokenCreator to sa-batch@analytics-proj.iam.gserviceaccount.com on the sa-reports@analytics-proj.iam.gserviceaccount.com service account resource

To generate signed URLs using another service account's credentials, the batch processing service account needs the ability to create tokens on behalf of the reports service account. This requires the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).

When creating signed URLs, the process involves generating a signature using the private key of a service account. When one service account needs to sign URLs on behalf of another service account, it must be granted the Service Account Token Creator role on that target service account. This role grants the permission iam.serviceAccounts.signBlob, which is essential for creating signed URLs.

The correct configuration is to grant roles/iam.serviceAccountTokenCreator to the batch service account (sa-batch@analytics-proj.iam.gserviceaccount.com) on the reports service account resource (sa-reports@analytics-proj.iam.gserviceaccount.com). This allows the batch job to sign blobs and create signed URLs using the reports service account's identity.

The other options are incorrect for the following reasons:

  • The Service Account User role (roles/iam.serviceAccountUser) allows a principal to run operations as the service account or attach it to resources, but it does not grant the ability to create tokens or sign blobs on behalf of that service account.

  • Granting Storage Object Admin role at the project level would give the batch service account direct access to storage objects, but it wouldn't enable signing URLs using the reports service account's credentials. Cross-service authentication is also not a valid Google Cloud concept for this use case.

  • The Service Account Key Admin role (roles/iam.serviceAccountKeyAdmin) allows managing service account keys (creating, deleting, listing keys), but it does not provide the ability to sign blobs or create tokens using the service account's credentials.

More Configuring Access and Security questions
477 questions (total)
Start 100 question test