Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Practice Exam Question about Attacker compromising GCE instance

I don’t want to reveal the entire question here for the sake of those who will take the practice test the future. So I’ll ask my question in a different way:

GCP service account tokens grant access to services, So if a malicious person or a program has that token then will that person/program not be able to have access to all scoped permissions of that service account until that token expires? Both from within and outside GCP?

Thanks, maybe I am just having a mental block about service account access.

1 Answers

Using a token to access GCP doesn’t depend on whether the use is "inside" or "outside" GCP.  What matters is that the token is valid for the access being attempted.  So if the token can do something, then an attacker can do that, too.

But I think the explanation for that question could be improved, so thanks for calling this out!  If I added the following to it, would that help clarify?

"In particular, the token will only allow the attacker (as any user) to perform whatever is allowed by both the service account and the access scopes.  Since both the default service account and the default access scopes are missing some capabilities from the other, the actual access possible by using the token will be less than either of them allows, individually."


Thanks Mattias. This explanation helps. The key being the the resulting permissions as a combination of both. Your practice test questions have been very good at identifying areas to dig deeper into.

Mattias Andersson

Glad to help! And I’m really glad the questions are helping you find and close the holes in your understanding! 😁

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?