Refer to the exhibit. This IAM policy is applied at the project level. What is the effect of the condition?
Condition on resource name limits access to resources with that prefix.
Why this answer
Option A is correct because the condition block uses the `resource.name.startsWith` condition key to restrict access to AI Platform resources whose names begin with `projects/ml-`. This means the service account can only interact with AI Platform resources (such as models, jobs, or endpoints) that have a resource name starting with that prefix, effectively scoping the permission to a specific set of projects or resources.
Exam trap
Google Cloud often tests the distinction between resource-level conditions (like `resource.name`) and identity-level conditions (like `principal` or `request.auth`), and candidates mistakenly apply the condition to the service account's project ID instead of the target resource's name.
How to eliminate wrong answers
Option B is wrong because the condition checks the resource name (the AI Platform resource path), not the project ID of the service account itself; the service account can be from any project, but the resources it can access must have names starting with `projects/ml-`. Option C is wrong because the condition uses `resource.name.startsWith`, which operates on the resource name, not the project's display name or label; the project name is irrelevant. Option D is wrong because IAM conditions are fully supported for service accounts; the condition is evaluated at access time and can restrict permissions based on resource attributes.