A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?
Trap 1: Use the organization policy constraint…
This constraint is about key expiry, not project authorization.
Trap 2: Use the organization policy constraint…
This constraint restricts which principals can be granted roles, not which projects a service account can be used in.
Trap 3: Use the organization policy constraint…
This constraint is for network permissions, not service account usage.
- A
Use the organization policy constraint 'constraints/iam.serviceAccountKeyExpiryHours' to force key rotation.
Why wrong: This constraint is about key expiry, not project authorization.
- B
Use the organization policy constraint 'constraints/iam.allowedPolicyMemberDomains' and set it to only allow the service account's domain.
Why wrong: This constraint restricts which principals can be granted roles, not which projects a service account can be used in.
- C
Use the organization policy constraint 'constraints/compute.restrictCrossProjectNw' to limit network access.
Why wrong: This constraint is for network permissions, not service account usage.
- D
Use the organization policy constraint 'constraints/iam.workloadIdentityPoolProviders' to restrict which workload identity pools can be used.
Why wrong: This constraint is for workload identity federation, not for restricting service account usage across projects.