You are developing a new application that runs exclusively on Compute Engine VMs. This application executes five distinct batch jobs daily, and each job requires a dedicated set of permissions to access Google Cloud resources outside the application. You need to design a secure access method for these batch jobs that follows the principle of least privilege.

What should you do?

Exam-Like

Create a general service account “g-sa” to orchestrate the batch jobs.
Create one service account per batch job ‘b-sa-[1-5]’. Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts.
Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].

Create a workload identity pool and configure workload identity pool providers for each batch job.
Assign the workload identity user role to each of the identities configured in the providers.
Create one service account per batch job “b-sa-[1-5]”, and grant only the permissions required to run the individual batch jobs to the service accounts.
Generate credential configuration files for each of the providers. Use these files to execute the batch jobs with the permissions of b-sa-[1-5].

Create a general service account “g-sa” to orchestrate the batch jobs.
Create one service account per batch job “b-sa-[1-5]”, and grant only the permissions required to run the individual batch jobs to the service accounts.
Grant the Service Account Token Creator role to g-sa. Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

Google Professional Cloud Security Engineer