You have written a Cloud Function that accesses other Google Cloud resources. You want to secure the environment using the principle of least privilege. What should you do?
A.
Create a new service account that has Editor authority to access the resources. The deployer is given permission to get the access token.
B.
Create a new service account that has a custom IAM role to access the resources. The deployer is given permission to get the access token.
C.
Create a new service account that has Editor authority to access the resources. The deployer is given permission to act as the new service account.
D.
Create a new service account that has a custom IAM role to access the resources. The deployer is given permission to act as the new service account.
Quoted from https://cloud.google.com/functions/docs/securing/function-identity#individual
"In order to deploy a function with a user-managed service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed"
This approach allows you to create a service account with a custom IAM role that provides only the necessary permissions required by your Cloud Function. By granting the deployer permission to get the access token, you ensure that they can obtain the necessary credentials to deploy and manage the Cloud Function.
D should be the correct choice here.
In Google Cloud, the resource(which can be a Cloud Function, a VM, etc.) always acts as a service account while accessing other resources.
Changed the mind to D. (the note above is when you *invoke* the function, not to access other GCP services).
https://cloud.google.com/functions/docs/securing/function-identity
"While IAM-defined service accounts are the preferred method for managing access in Google Cloud, some services might require other modes, such as an API key, OAuth 2.0 client, or service account key."
and
"Note: In order to deploy a function with a user-managed service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ParagSanyashiv
Highly Voted 2 years, 9 months agoalpha_canary
Most Recent 6 months, 1 week agoXoxoo
10 months agowanrltw
11 months, 1 week ago__rajan__
1 year, 1 month agozellck
1 year, 10 months agotomato123
2 years, 2 months agoakshaychavan7
2 years, 2 months ago[Removed]
2 years, 5 months ago[Removed]
2 years, 5 months ago[Removed]
2 years, 5 months ago