Answer-first summary for fast verification
Answer: Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
The correct answer is D because it aligns with Google's recommended practice for service accounts to access user data without storing user credentials. Domain-wide delegation allows a service account to impersonate users within the G Suite domain, enabling the application to access each user's Google Drive on their behalf securely. This method avoids the security risks of handling user credentials directly. Options A and B are incorrect as they grant users the ability to impersonate the service account, which is the reverse of the requirement. Option C is unsuitable because using a dedicated G Suite Admin account does not provide user-specific access and violates the principle of least privilege. Although one comment questions domain-wide delegation, the consensus and official documentation support it as the appropriate solution for this scenario.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are developing an internal App Engine application that requires access to a user's Google Drive without relying on the user's credentials. Your organization wants to adhere to Google's recommended practices. What should you do?
A
Create a new Service account, and give all application users the role of Service Account User.
B
Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
C
Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
D
Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
No comments yet.