I don’t want to reveal the entire question here for the sake of those who will take the practice test the future. So I’ll ask my question in a different way:
GCP service account tokens grant access to services, So if a malicious person or a program has that token then will that person/program not be able to have access to all scoped permissions of that service account until that token expires? Both from within and outside GCP?
Thanks, maybe I am just having a mental block about service account access.
Using a token to access GCP doesn’t depend on whether the use is "inside" or "outside" GCP. What matters is that the token is valid for the access being attempted. So if the token can do something, then an attacker can do that, too.
But I think the explanation for that question could be improved, so thanks for calling this out! If I added the following to it, would that help clarify?
"In particular, the token will only allow the attacker (as any user) to perform whatever is allowed by both the service account and the access scopes. Since both the default service account and the default access scopes are missing some capabilities from the other, the actual access possible by using the token will be less than either of them allows, individually."