Home › GCP Professional Cloud Architect › cloudcomputing › gcppcasecurity › Which GCP IAM feature lets a less-privileged use…
Which GCP IAM feature lets a less-privileged user temporarily assume the identity of a more-privileged service account WITHOUT having that account's key?
AGranting Owner to every user
BDisabling IAM
CService-account impersonation (via Service Account Token Creator role)
DSharing the service-account JSON key file
Answer & Solution
Correct answer: C. Service-account impersonation (via Service Account Token Creator role)
Service-account impersonation grants short-lived tokens via the Token Creator role (per the exam guide §3.1). The other options are textbook security antipatterns.
Related questions
Which GCP compliance design feature gives an architect audit-grade tamper-evident logs of Which GCP design principle separates production deploy permissions from production data-reWhich Chrome Enterprise feature gives administrators device-aware policies and threat protWhich GCP feature lets an architect protect generative-AI deployments from prompt-injectioWhich GCP feature lets an architect enforce constraints across an entire organisation (e.gWhich GCP feature lets a workload outside GCP (e.g. AWS / Azure / on-prem) authenticate toWhich GCP service provides secure remote access to internal apps without a corporate VPN —Which GCP control lets an architect define a security perimeter around managed services (e