Practice free →
HomeGCP Associate Cloud Engineercloudcomputinggcpsecurity › Service account impersonation lets a principal:

Service account impersonation lets a principal:

ASteal the service account's password and use it forever
BPermanently merge two service accounts into one
CTemporarily act with the permissions of a service account, without holding the service-account's private key, via short-lived OAuth credentials
DBypass IAM entirely for one API call
Answer & Solution
Correct answer: C. Temporarily act with the permissions of a service account, without holding the service-account's private key, via short-lived OAuth credentials
Impersonation = the caller invokes `generateAccessToken` (or signs a JWT) on the target service account, receives a short-lived access token, and acts as that SA for the request. No key download required, and the caller still needs `iam.serviceAccountTokenCreator` on the target. The other options are wrong characterisations.
Solve this in the app — GCP Associate Cloud Engineer practice & 24k+ MCQs →
Related questions