Google Cloud Professional Cloud Security Engineer Practice Exam

What should be created to execute batch jobs with specific permissions?

• A. A dedicated user role
• B. A general service account
• C. An external service account
• D. A custom IAM policy

The correct answer is: A general service account

To execute batch jobs with specific permissions, creating a general service account is the most appropriate choice. A service account in Google Cloud is a special type of account intended to represent a non-human user that needs to authenticate and be authorized to perform actions on resources. In scenarios where you need to run batch jobs, using a general service account allows you to configure the necessary permissions strictly according to the resources the batch jobs will interact with. This ensures that the jobs can operate seamlessly without escalating permissions beyond what is needed, adhering to the principle of least privilege. Service accounts are often preferred for automation tasks like batch jobs because they can be managed independently of user accounts, meaning they won't be affected by user lifecycle events (such as leave or termination). Moreover, assigning specific IAM roles to a service account gives you the flexibility to tailor its permissions based on the specific operations the batch jobs need to perform. Creating a dedicated user role or a custom IAM policy has its merits, but these options typically require additional steps and nuances, such as defining the specific permissions and roles associated with various operations explicitly. A general service account simplifies the process by encapsulating all the necessary permissions required for executing the jobs without the overhead of creating additional roles or policies. Hence, using a general