🔥 3-day streak
Professional Cloud Security Engineer131 / 152
Question 131 of 152

A platform team manages a fleet of Compute Engine instances that run as a highly privileged service account named prod-runtime@project.iam.gserviceaccount.com. Application developers need to deploy new VM instances that use this service account, but the security team requires that developers cannot modify the service account itself, cannot generate its keys, and cannot grant it additional IAM roles. What is the most appropriate way to grant developers exactly what they need?

Reviewed for accuracy · Report an issueNext question