Refer to the exhibit. A security engineer runs the commands shown. The command 'gcloud compute instances list' fails with a permission denied error. The service account key belongs to a service account with the role 'roles/compute.viewer' on the project. What is the most likely cause?
Most likely cause: the key is invalid, causing authentication failure.
Why this answer
The command 'gcloud auth activate-service-account' uses a service account key file to authenticate as that service account. If the key file is invalid (e.g., corrupted, expired, or malformed) or the service account itself has been deleted, authentication will fail, causing subsequent commands like 'gcloud compute instances list' to return a permission denied error even if the service account has the correct role. The error is not about missing permissions on the role, but about the inability to prove identity.
Exam trap
Google Cloud often tests the distinction between authentication failure (invalid key/deleted account) and authorization failure (insufficient permissions), tricking candidates into assuming the role itself is missing a permission when the real issue is that the identity cannot be verified.
How to eliminate wrong answers
Option A is wrong because the role 'roles/compute.viewer' does include the 'compute.instances.list' permission, so it is sufficient to list instances. Option C is wrong because 'gcloud auth activate-service-account' is the correct command to authenticate using a service account key file; 'gcloud auth login' is for user accounts, not service accounts. Option D is wrong because if the project did not exist or the service account was not in it, the error would typically be 'project not found' or 'permission denied' after successful authentication, not a permission denied error caused by failed authentication; the scenario explicitly states the key belongs to a service account with the viewer role on the project, implying the project exists.