Exam Professional Cloud DevOps Engineer topic 1 question 104 discussion

(D) is better choice, exemption of policy at Org level is always riskier than to exempt it at project level (B). But, for answer (D) - I'm assuming here rule means assigning tag.

A. Enabling the default service account key would bypass security controls and isn't recommended. B. Removing the policy at the organization level would weaken security across the entire organization, which is excessive for solving a single application's needs. C. Disabling the policy at the folder level would affect all projects in that folder, creating unnecessary security exposure. D. Adding a rule to set the policy to "off" specifically for your project is the most targeted approach. This maintains the security policy for the rest of the organization while enabling just what you need for this specific project. Therefore, the correct answer is D: Add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project, and create a key.

I will go for B. when an organization policy constraint—such as iam.disableServiceAccountKeyCreation—is enforced at the organization level, lower-level policies (at the folder or project level) cannot override that enforcement. This means that adding a rule at the project level (Option D) to set iam.disableServiceAccountKeyCreation to off will have no effect because the enforced organization-level policy takes precedence.

To address the error caused by the organization policy constraint "iam.disableServiceAccountKeyCreation," and to enable the third-party application to work while adhering to Google-recommended security practices, the recommended action is (Option D). By adding a rule to set the "iam.disableServiceAccountKeyCreation" policy to "off" specifically in your project, you can override the organization-level constraint temporarily for your project. This allows you to create the necessary service account key for the third-party application without compromising the organization-wide security policy. This targeted adjustment ensures that the key creation is enabled only for the project in question, maintaining security standards across the broader organization.

The correct answer is D. Using service account keys is against best practices so if needed you only enable it only on one project.

I think D is better, you can disable the Org Policy only on the project in which the key is.

Correct answer is B If the iam.disableServiceAccountCreation constraint is applied, attempting to enable these services will fail because their default service accounts cannot be created. To resolve this issue: Temporarily remove the iam.disableServiceAccountCreation constraint. Enable the desired services. Create any other desired service accounts. Finally, re-apply the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_key_creation

Right answer

COrrect Answer is B