Answer-first summary for fast verification
Answer: Add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project, and create a key.
The organization policy `iam.disableServiceAccountKeyCreation` blocks key creation. Option D is correct because it overrides the policy at the project level (not organization or folder), minimizing security exposure. This allows key creation for a specific project while maintaining the broader organization policy. Google recommends project-level exceptions for granular control, and a custom service account (not the default) should be used for the key. Options A, B, and C are insecure: A fails to bypass the policy, B weakens organization-wide security, and C affects multiple projects and uses the insecure default service account.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A third-party application requires a service account key to function correctly. When attempting to export the key from your Google Cloud project, you encounter the error: "The organization policy constraint iam.disableServiceAccountKeyCreation is enforced." How can you enable the third-party application to work while adhering to Google's recommended security best practices?
A
Enable the default service account key, and download the key.
B
Remove the iam.disableServiceAccountKeyCreation policy at the organization level, and create a key.
C
Disable the service account key creation policy at the project's folder, and download the default key.
D
Add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project, and create a key.
No comments yet.