- A
Download the deployment service account's JSON key and store it in Cloud Build secrets
Why wrong: Using key files for impersonation introduces long-lived credentials — impersonation via token exchange is the preferred keyless approach.
- B
Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
With `roles/iam.serviceAccountTokenCreator` on the target SA, the Cloud Build SA can generate short-lived access tokens to act as the deployment SA — no key files needed.
- C
Add the Cloud Build SA as an Owner of the project
Why wrong: Granting Owner to a CI/CD service account violates least privilege — it's far more access than needed for a deployment operation.
- D
Enable service account delegation in the project's IAM settings
Why wrong: There is no 'service account delegation' toggle in IAM settings — impersonation is configured via role bindings on the target service account.
Quick Answer
The correct answer is to grant the Cloud Build service account the Token Creator role on the deployment service account, enabling IAM service account impersonation. This technique allows the Cloud Build pipeline to temporarily act as a more privileged service account by generating short-lived OAuth2 tokens, rather than granting the pipeline’s own service account broad permissions like Cloud Run Admin. On the Google Associate Cloud Engineer exam, this scenario tests your understanding of the principle of least privilege and how to securely delegate permissions across services using cloud build service account impersonation for cloud run deployments. A common trap is confusing the Token Creator role with the Service Account User role—remember that Token Creator is for generating tokens to impersonate, while Service Account User is for attaching the account to a resource. Memory tip: “Token to take the throne” — the Token Creator role gives your pipeline the key to temporarily sit in the deployment account’s chair.
Google ACE Setting up a cloud solution environment Practice Question
This ACE practice question tests your understanding of setting up a cloud solution environment. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A Cloud Build pipeline needs to deploy to Cloud Run but the pipeline's service account has only minimal permissions. Rather than granting it Cloud Run Admin, the team wants it to temporarily act as a more privileged deployment service account. Which technique enables this?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
Option B is correct because it uses IAM service account impersonation, which allows the Cloud Build service account to temporarily assume the identity of a more privileged deployment service account by calling the iam.serviceAccounts.actAs permission. This avoids granting broad Cloud Run Admin permissions directly to the pipeline's service account, adhering to the principle of least privilege. The Token Creator role (roles/iam.serviceAccountTokenCreator) on the deployment service account enables the Cloud Build SA to generate short-lived OAuth2 tokens for impersonation, which are automatically scoped to the deployment SA's permissions.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Download the deployment service account's JSON key and store it in Cloud Build secrets
Why it's wrong here
Using key files for impersonation introduces long-lived credentials — impersonation via token exchange is the preferred keyless approach.
- ✓
Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
Why this is correct
With `roles/iam.serviceAccountTokenCreator` on the target SA, the Cloud Build SA can generate short-lived access tokens to act as the deployment SA — no key files needed.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Add the Cloud Build SA as an Owner of the project
Why it's wrong here
Granting Owner to a CI/CD service account violates least privilege — it's far more access than needed for a deployment operation.
- ✗
Enable service account delegation in the project's IAM settings
Why it's wrong here
There is no 'service account delegation' toggle in IAM settings — impersonation is configured via role bindings on the target service account.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Google Cloud often tests the distinction between granting a role directly (like Cloud Run Admin) versus using impersonation with the Token Creator role, and the trap here is that candidates confuse storing a JSON key (Option A) with secure, temporary impersonation, or assume that 'delegation' (Option D) is a real IAM feature when it is not.
Detailed technical explanation
How to think about this question
Under the hood, impersonation works by the Cloud Build SA calling the iamcredentials.googleapis.com generateAccessToken API to obtain a short-lived (typically 1-hour) access token for the deployment SA, which is then used to authenticate Cloud Run API calls. This token is automatically scoped to the deployment SA's roles, and Cloud Build's default service account (e.g., [PROJECT-NUMBER]@cloudbuild.gserviceaccount.com) must have the roles/iam.serviceAccountTokenCreator role on the target SA. A real-world scenario is deploying to a production Cloud Run service where the deployment SA has roles/run.admin, while the pipeline SA only has roles/cloudbuild.builds.builder, ensuring that even if the pipeline is compromised, the attacker cannot permanently escalate privileges.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Setting up a cloud solution environment — study guide chapter
Learn the concepts, then practise the questions
- →
Setting up a cloud solution environment practice questions
Targeted practice on this topic area only
- →
All ACE questions
500 questions across all exam domains
- →
Google Associate Cloud Engineer study guide
Full concept coverage aligned to exam objectives
- →
ACE practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related ACE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Setting up a cloud solution environment practice questions
Practise ACE questions linked to Setting up a cloud solution environment.
Planning and configuring a cloud solution practice questions
Practise ACE questions linked to Planning and configuring a cloud solution.
Deploying and implementing a cloud solution practice questions
Practise ACE questions linked to Deploying and implementing a cloud solution.
Ensuring successful operation of a cloud solution practice questions
Practise ACE questions linked to Ensuring successful operation of a cloud solution.
Configuring access and security practice questions
Practise ACE questions linked to Configuring access and security.
ACE fundamentals practice questions
Practise ACE questions linked to ACE fundamentals.
ACE scenario practice questions
Practise ACE questions linked to ACE scenario.
ACE troubleshooting practice questions
Practise ACE questions linked to ACE troubleshooting.
Practice this exam
Start a free ACE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this ACE question test?
Setting up a cloud solution environment — This question tests Setting up a cloud solution environment — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA — Option B is correct because it uses IAM service account impersonation, which allows the Cloud Build service account to temporarily assume the identity of a more privileged deployment service account by calling the iam.serviceAccounts.actAs permission. This avoids granting broad Cloud Run Admin permissions directly to the pipeline's service account, adhering to the principle of least privilege. The Token Creator role (roles/iam.serviceAccountTokenCreator) on the deployment service account enables the Cloud Build SA to generate short-lived OAuth2 tokens for impersonation, which are automatically scoped to the deployment SA's permissions.
What should I do if I get this ACE question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 30, 2026
This ACE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ACE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.