A company wants to control which resources can be accessed by a service account in a specific project. Which IAM policy binding approach should be used?
Trap 1: Use VPC Service Controls to restrict the service account
VPC Service Controls control data exfiltration, not IAM permissions.
Trap 2: Add the service account to a Cloud Identity group and grant the…
While possible, this is not the most direct approach and still requires role binding at the appropriate scope.
Trap 3: Grant the service account a role at the organization level
This would grant access to all resources in the organization, not just the specific project.
- A
Use VPC Service Controls to restrict the service account
Why wrong: VPC Service Controls control data exfiltration, not IAM permissions.
- B
Grant the service account a role at the project or resource level
IAM roles at the project or resource level restrict access to that scope.
- C
Add the service account to a Cloud Identity group and grant the group a role
Why wrong: While possible, this is not the most direct approach and still requires role binding at the appropriate scope.
- D
Grant the service account a role at the organization level
Why wrong: This would grant access to all resources in the organization, not just the specific project.