- A
Download the deployment service account's JSON key and store it in Cloud Build secrets
Why wrong: Storing a JSON key is not temporary and violates security best practices, as keys can be leaked; it is not the recommended impersonation technique.
- B
Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
This is correct in concept, but the role should be Service Account User (roles/iam.serviceAccountUser), not Token Creator. The exam expects understanding that impersonation requires the actAs permission.
- C
Add the Cloud Build SA as an Owner of the project
Why wrong: Granting the Cloud Build SA Owner role is excessive and violates least privilege; it would allow far more permissions than needed.
- D
Enable service account delegation in the project's IAM settings
Why wrong: Service account delegation is not a standard IAM feature; the correct term is service account impersonation via the Service Account User role.
How to Use IAM Service Account Impersonation for Cloud Build to Deploy to Cloud Run
This ACE practice question tests your understanding of service account impersonation. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: service Account Impersonation. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A Cloud Build pipeline needs to deploy to Cloud Run but the pipeline's service account has only minimal permissions. Rather than granting it Cloud Run Admin, the team wants it to temporarily act as a more privileged deployment service account. Which technique enables this?
Quick Answer
The correct answer is to grant the Cloud Build service account the Token Creator role on the deployment service account, enabling IAM service account impersonation. This technique allows the Cloud Build pipeline to temporarily act as a more privileged service account by generating short-lived OAuth2 tokens, rather than granting the pipeline’s own service account broad permissions like Cloud Run Admin. On the Google Associate Cloud Engineer exam, this scenario tests your understanding of the principle of least privilege and how to securely delegate permissions across services using cloud build service account impersonation for cloud run deployments. A common trap is confusing the Token Creator role with the Service Account User role—remember that Token Creator is for generating tokens to impersonate, while Service Account User is for attaching the account to a resource. Memory tip: “Token to take the throne” — the Token Creator role gives your pipeline the key to temporarily sit in the deployment account’s chair.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
Option B is the intended answer because service account impersonation is the correct technique. However, the option text incorrectly states 'Token Creator role' whereas the required role is the Service Account User role (roles/iam.serviceAccountUser) which grants the iam.serviceAccounts.actAs permission. The Cloud Build SA needs this role on the deployment SA to temporarily act as it. The Token Creator role only allows token generation, not usage. This approach avoids granting broad Cloud Run Admin permissions, adhering to least privilege. The other options are incorrect: A stores a static key (security risk), C grants excessive project-level Owner, and D is not a real IAM feature.
Key principle: Service Account Impersonation
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Download the deployment service account's JSON key and store it in Cloud Build secrets
Why it's wrong here
Storing a JSON key is not temporary and violates security best practices, as keys can be leaked; it is not the recommended impersonation technique.
- ✓
Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
Why this is correct
This is correct in concept, but the role should be Service Account User (roles/iam.serviceAccountUser), not Token Creator. The exam expects understanding that impersonation requires the actAs permission.
Related concept
Service Account Impersonation
- ✗
Add the Cloud Build SA as an Owner of the project
Why it's wrong here
Granting the Cloud Build SA Owner role is excessive and violates least privilege; it would allow far more permissions than needed.
- ✗
Enable service account delegation in the project's IAM settings
Why it's wrong here
Service account delegation is not a standard IAM feature; the correct term is service account impersonation via the Service Account User role.
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common trap is confusing the Service Account User role (required for impersonation) with the Token Creator role (only for generating tokens). Candidates may also mistakenly think storing keys or using delegation is correct.
Detailed technical explanation
How to think about this question
Under the hood, impersonation works by the Cloud Build SA calling the iamcredentials.googleapis.com generateAccessToken API to obtain a short-lived (typically 1-hour) access token for the deployment SA, which is then used to authenticate Cloud Run API calls. This token is automatically scoped to the deployment SA's roles, and Cloud Build's default service account (e.g., [PROJECT-NUMBER]@cloudbuild.gserviceaccount.com) must have the roles/iam.serviceAccountTokenCreator role on the target SA. A real-world scenario is deploying to a production Cloud Run service where the deployment SA has roles/run.admin, while the pipeline SA only has roles/cloudbuild.builds.builder, ensuring that even if the pipeline is compromised, the attacker cannot permanently escalate privileges.
KKey Concepts to Remember
- Service Account Impersonation
- Service Account User Role
- Token Creator Role
- Principle of Least Privilege
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Service Account Impersonation
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review service Account Impersonation, then practise related ACE questions on the same topic to reinforce the concept.
Related practice questions
Related ACE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Configuring Access and Security practice questions
Practise ACE questions linked to Configuring Access and Security.
Planning and Configuring a Cloud Solution practice questions
Practise ACE questions linked to Planning and Configuring a Cloud Solution.
Ensuring Successful Operation of a Cloud Solution practice questions
Practise ACE questions linked to Ensuring Successful Operation of a Cloud Solution.
Deploying and Implementing a Cloud Solution practice questions
Practise ACE questions linked to Deploying and Implementing a Cloud Solution.
Setting Up a Cloud Solution Environment practice questions
Practise ACE questions linked to Setting Up a Cloud Solution Environment.
ACE fundamentals practice questions
Practise ACE questions linked to ACE fundamentals.
ACE scenario practice questions
Practise ACE questions linked to ACE scenario.
ACE troubleshooting practice questions
Practise ACE questions linked to ACE troubleshooting.
Practice this exam
Start a free ACE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this ACE question test?
Service Account Impersonation
What is the correct answer to this question?
The correct answer is: Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA — Option B is the intended answer because service account impersonation is the correct technique. However, the option text incorrectly states 'Token Creator role' whereas the required role is the Service Account User role (roles/iam.serviceAccountUser) which grants the iam.serviceAccounts.actAs permission. The Cloud Build SA needs this role on the deployment SA to temporarily act as it. The Token Creator role only allows token generation, not usage. This approach avoids granting broad Cloud Run Admin permissions, adhering to least privilege. The other options are incorrect: A stores a static key (security risk), C grants excessive project-level Owner, and D is not a real IAM feature.
What should I do if I get this ACE question wrong?
Review service Account Impersonation, then practise related ACE questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Service Account Impersonation
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More ACE practice questions
- A team's Cloud Build pipeline must: (1) run unit tests, (2) build a Docker image only if tests pass, (3) push the image…
- A team needs a database backup job to run every day at 2 AM UTC. The job calls an HTTP endpoint to trigger the backup. T…
- A team wants to receive an email alert when the average CPU utilization of VMs in a managed instance group exceeds 80% f…
- A Go service is consuming significantly more CPU than expected. The team suspects an inefficient function but doesn't kn…
- A network team is creating a new VPC and must decide between auto mode and custom mode. Why would they choose custom mod…
- A company organizes its GCP projects by business unit — Finance, Engineering, and Sales. Which resource is best suited t…
Last reviewed: Jun 30, 2026
This ACE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ACE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.