Exam Professional Cloud Security Engineer topic 1 question 32 discussion

I think the correct answer is D https://developers.google.com/admin-sdk/directory/v1/guides/delegation

A and B are wrong Service Account User is use to grant someone the ability to impersonate a service account (ref: https://cloud.google.com/iam/docs/understanding-roles) So with those solution, the user could do some actions as the newly created service account We want the opposite: the service account need to do some actions as some user => D is the only working solution

Option A is false because it does not address the requirement of accessing a user's Google Drive on their behalf without relying on the user's credentials. Instead, option D, which involves granting domain-wide delegation to a service account for impersonation, is the recommended approach for this scenario.

I'm not sure if D is the correct answer. The question specifically states that they want to follow Google-recommended practices and https://cloud.google.com/iam/docs/best-practices-service-accounts#domain-wide-delegation states to avoid domain-wide delegation. I do agree that D is the only way a service account can impersonate the user though

A (Wrong) The access will be with the SA not the user's account. B (Wrong) Same as A. C. (Wrong) In this case the access is with the admins account, not user's. D. (CORRECT!) It's the only answer that really impersonate the user.

D. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.

correct answer is D https://developers.google.com/admin-sdk/directory/v1/guides/delegation

Clearly D is the right answer

They are asking for google recommended practice. Does D says that?

Ans - D

D is the answer.

D is the best choice

I agree D