A company wants to allow developers to create service accounts in a project but prevent them from granting the 'roles/iam.serviceAccountUser' role to any user. Which organization policy constraint should they set?
This constraint prevents granting the specified role, even if the user has permission to grant roles.
Why this answer
Option A is correct because 'iam.disableServiceAccountKeyCreation' disables service account key creation, not role granting. Option B is correct because 'iam.allowedPolicyMemberDomains' restricts which domains can be granted roles. Actually the correct constraint to prevent granting roles is 'iam.restrictGrantableRoles'.
Wait, let's think: The question asks to prevent developers from granting a specific role. The correct constraint is 'iam.restrictGrantableRoles' which allows you to restrict the roles that can be granted. Option B is about domains.
Option D is about denying usage of service account impersonation? Actually, the correct answer is 'Workload Identity pools' not a constraint. The correct constraint is 'iam.restrictGrantableRoles'. So I need to pick the right one.
Let's correct: Option A: iam.disableServiceAccountKeyCreation - that prevents creating keys, not granting roles. Option B: iam.allowedPolicyMemberDomains - limits which domains can be members. Option C: iam.restrictGrantableRoles - limits which roles can be granted.
Option D: iam.workloadIdentityPoolProviders - for workload identity. So the correct is Option C. I need to adjust the JSON accordingly.
Actually in the JSON below I had a mistake. I'll correct now.