Question 669 of 1,000
hardMultiple ChoiceObjective-mapped

How to Use IAM Service Account Impersonation for Cloud Build to Deploy to Cloud Run

This ACE practice question tests your understanding of service account impersonation. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: service Account Impersonation. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A Cloud Build pipeline needs to deploy to Cloud Run but the pipeline's service account has only minimal permissions. Rather than granting it Cloud Run Admin, the team wants it to temporarily act as a more privileged deployment service account. Which technique enables this?

Quick Answer

The correct answer is to grant the Cloud Build service account the Token Creator role on the deployment service account, enabling IAM service account impersonation. This technique allows the Cloud Build pipeline to temporarily act as a more privileged service account by generating short-lived OAuth2 tokens, rather than granting the pipeline’s own service account broad permissions like Cloud Run Admin. On the Google Associate Cloud Engineer exam, this scenario tests your understanding of the principle of least privilege and how to securely delegate permissions across services using cloud build service account impersonation for cloud run deployments. A common trap is confusing the Token Creator role with the Service Account User role—remember that Token Creator is for generating tokens to impersonate, while Service Account User is for attaching the account to a resource. Memory tip: “Token to take the throne” — the Token Creator role gives your pipeline the key to temporarily sit in the deployment account’s chair.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA

Option B is the intended answer because service account impersonation is the correct technique. However, the option text incorrectly states 'Token Creator role' whereas the required role is the Service Account User role (roles/iam.serviceAccountUser) which grants the iam.serviceAccounts.actAs permission. The Cloud Build SA needs this role on the deployment SA to temporarily act as it. The Token Creator role only allows token generation, not usage. This approach avoids granting broad Cloud Run Admin permissions, adhering to least privilege. The other options are incorrect: A stores a static key (security risk), C grants excessive project-level Owner, and D is not a real IAM feature.

Key principle: Service Account Impersonation

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Download the deployment service account's JSON key and store it in Cloud Build secrets

    Why it's wrong here

    Storing a JSON key is not temporary and violates security best practices, as keys can be leaked; it is not the recommended impersonation technique.

  • Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA

    Why this is correct

    This is correct in concept, but the role should be Service Account User (roles/iam.serviceAccountUser), not Token Creator. The exam expects understanding that impersonation requires the actAs permission.

    Related concept

    Service Account Impersonation

  • Add the Cloud Build SA as an Owner of the project

    Why it's wrong here

    Granting the Cloud Build SA Owner role is excessive and violates least privilege; it would allow far more permissions than needed.

  • Enable service account delegation in the project's IAM settings

    Why it's wrong here

    Service account delegation is not a standard IAM feature; the correct term is service account impersonation via the Service Account User role.

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common trap is confusing the Service Account User role (required for impersonation) with the Token Creator role (only for generating tokens). Candidates may also mistakenly think storing keys or using delegation is correct.

Detailed technical explanation

How to think about this question

Under the hood, impersonation works by the Cloud Build SA calling the iamcredentials.googleapis.com generateAccessToken API to obtain a short-lived (typically 1-hour) access token for the deployment SA, which is then used to authenticate Cloud Run API calls. This token is automatically scoped to the deployment SA's roles, and Cloud Build's default service account (e.g., [PROJECT-NUMBER]@cloudbuild.gserviceaccount.com) must have the roles/iam.serviceAccountTokenCreator role on the target SA. A real-world scenario is deploying to a production Cloud Run service where the deployment SA has roles/run.admin, while the pipeline SA only has roles/cloudbuild.builds.builder, ensuring that even if the pipeline is compromised, the attacker cannot permanently escalate privileges.

KKey Concepts to Remember

  • Service Account Impersonation
  • Service Account User Role
  • Token Creator Role
  • Principle of Least Privilege

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Service Account Impersonation

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

Related practice questions

Related ACE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ACE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ACE question test?

Service Account Impersonation

What is the correct answer to this question?

The correct answer is: Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA — Option B is the intended answer because service account impersonation is the correct technique. However, the option text incorrectly states 'Token Creator role' whereas the required role is the Service Account User role (roles/iam.serviceAccountUser) which grants the iam.serviceAccounts.actAs permission. The Cloud Build SA needs this role on the deployment SA to temporarily act as it. The Token Creator role only allows token generation, not usage. This approach avoids granting broad Cloud Run Admin permissions, adhering to least privilege. The other options are incorrect: A stores a static key (security risk), C grants excessive project-level Owner, and D is not a real IAM feature.

What should I do if I get this ACE question wrong?

Review service Account Impersonation, then practise related ACE questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Service Account Impersonation

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More ACE practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ACE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ACE exam.