ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud DevOps Engineer All Questions

View all questions & answers for the Professional Cloud DevOps Engineer exam
Go to Exam

Exam Professional Cloud DevOps Engineer topic 1 question 157 discussion

Actual exam question from Google's Professional Cloud DevOps Engineer
Question #: 157
Topic #: 1
[All Professional Cloud DevOps Engineer Questions]

You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead. What should you do?

  • A. Apply the constraints/iam.disableServiceAccountKevCreation constraint to the organization.
  • B. Use custom versions of predefined roles to exclude all iam.serviceAccountKeys.* service account role permissions.
  • C. Apply the constraints/iam.disableServiceAccountKeyUpload constraint to the organization.
  • D. Grant the roles/iam.serviceAccountKeyAdmin IAM role to organization administrators only.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by koo_kai at Oct. 28, 2023, 8:24 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
alpha_canary
10 months ago
Selected Answer: A
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_key_creation
upvoted 1 times
...
xhilmi
1 year ago
Selected Answer: A
Correct answer is A. By applying the constraints/iam.disableServiceAccountKeyCreation constraint to the organization, you can prevent the creation of JSON service account keys, thus minimizing the risk associated with long-lived credentials. This constraint disables the ability to create new service account keys, reducing the potential for misuse or compromise of credentials.
upvoted 2 times
...
mshafa
1 year, 1 month ago
Selected Answer: A
You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects.
upvoted 3 times
...
lelele2023
1 year, 1 month ago
Selected Answer: A
"You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint." https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_key_creation
upvoted 2 times
...
koo_kai
1 year, 1 month ago
Selected Answer: A
constraints/iam.disableServiceAccountKeyCreation
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel