ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 5.2: Managing service accountsService AccountsSecurityDomain 5.2

GCP ACE · Question 46 · Domain 5.2: Managing service accounts

An application running on a Compute Engine VM needs to read files from a Cloud Storage bucket. What is the MOST secure way to grant the VM access to the bucket?

Answer options:

A.

Use the default Compute Engine service account and grant it the Project Editor role.

B.

Generate a JSON key for a service account and store it on the VM's file system.

C.

Create a custom service account, grant it the Storage Object Viewer role on the bucket, and attach the service account to the VM instance.

D.

Make the Cloud Storage bucket public.

How to approach this question

Combine the concepts of least privilege and native VM authentication.

Full Answer

C.Create a custom service account, grant it the Storage Object Viewer role on the bucket, and attach the service account to the VM instance.✓ Correct
Create a custom service account, grant it the Storage Object Viewer role on the bucket, and attach the service account to the VM instance.
The most secure approach is to create a dedicated (custom) service account for the VM. Grant this service account only the specific role it needs (`roles/storage.objectViewer`) on the specific resource (the bucket). Finally, attach this service account to the VM. The application can then securely retrieve short-lived credentials from the VM's metadata server without needing hardcoded JSON keys.

Common mistakes

Using the default compute service account (which has broad Editor access by default) or manually managing JSON keys.
45All questions47

Practice the full GCP Associate Cloud Engineer Practice Exam 1

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01What is the highest level of the Google Cloud resource hierarchy?EasyQ02You need to enable the Compute Engine API in a new project using the command line. Which command ...EasyQ03You are setting up a new GCP environment. You need to grant a group of developers access to view ...MediumQ04You want to receive an email notification when your GCP spending exceeds $1000 this month. What s...EasyQ05You need to analyze your GCP billing data using complex SQL queries to understand cost trends acr...Medium
View all 50 questions →