PROFESSIONAL-CLOUD-DEVELOPER · Question #217
You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam
The correct answer is B. 1. Run the following command from a command line: gcloud config set. With the roles/iam.serviceAccountTokenCreator role, the recommended Google best practice is service account impersonation: configure gcloud to impersonate the target service account (e.g., gcloud config set auth/impersonate_service_account SA_EMAIL), then use Application Default
Question
You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam.serviceAccountTokenCreator Identity and Access Management (IAM) role and the necessary permissions to deploy the resources using Terraform. You want to set up your development environment to deploy the desired resources following Google-recommended best practices. What should you do?
Options
- A
- Download the service account's key file in JSON format, and store it locally on your laptop.
- B
- Run the following command from a command line: gcloud config set
- C
- Run the following command from a command line: gcloud auth application-default login.
- D
- Store the service account's key file in JSON format in Hashicorp Vault.
How the community answered
(64 responses)- A5% (3)
- B80% (51)
- C2% (1)
- D14% (9)
Explanation
With the roles/iam.serviceAccountTokenCreator role, the recommended Google best practice is service account impersonation: configure gcloud to impersonate the target service account (e.g., gcloud config set auth/impersonate_service_account SA_EMAIL), then use Application Default Credentials (ADC). This generates short-lived, automatically expiring tokens on behalf of the service account without ever downloading a long-lived key file. Option A (download a JSON key file) creates a long-lived static credential that must be securely stored and manually rotated - this is explicitly discouraged by Google. Option C (gcloud auth application-default login) authenticates as the human user's Cloud Identity, not the required service account. Option D (HashiCorp Vault) adds significant operational complexity without leveraging the native impersonation capability already in place.
Topics
Community Discussion
No community discussion yet for this question.