Home › GCP Associate Cloud Engineer › cloudcomputing › gcpsecurity › Service account impersonation lets a principal:
Service account impersonation lets a principal:
ASteal the service account's password and use it forever
BPermanently merge two service accounts into one
CTemporarily act with the permissions of a service account, without holding the service-account's private key, via short-lived OAuth credentials
DBypass IAM entirely for one API call
Answer & Solution
Correct answer: C. Temporarily act with the permissions of a service account, without holding the service-account's private key, via short-lived OAuth credentials
Impersonation = the caller invokes `generateAccessToken` (or signs a JWT) on the target service account, receives a short-lived access token, and acts as that SA for the request. No key download required, and the caller still needs `iam.serviceAccountTokenCreator` on the target. The other options are wrong characterisations.
Related questions
Which IAM principle does Google Cloud recommend when granting a service account access to Which Google Cloud feature provides a centralised reverse proxy that verifies the user's iAn organisation wants to enforce that only signed and approved container images can be depWorkload Identity Federation lets external (non-Google) identities (e.g. AWS IAM, GitHub AAn auditor needs to determine which user deleted a Cloud Storage bucket in a project last Which approach gives a GKE workload SHORT-LIVED credentials to access Google APIs WITHOUT Which Google Cloud product stores secrets (API tokens, passwords, certificates) with versiWhich Google Cloud service centrally manages cryptographic keys (creation, rotation, destr