ExpertMedium1 markMultiple Choice
GCP ACE · Question 44 · Domain 5.2: Managing service accounts
You have an application running on a Compute Engine instance. The application needs to read files from a Cloud Storage bucket. You want to follow security best practices.
How should you grant the application access to the bucket?
You have an application running on a Compute Engine instance. The application needs to read files from a Cloud Storage bucket. You want to follow security best practices.
How should you grant the application access to the bucket?
Answer options:
A.
Embed your personal user account credentials in the application code.
B.
Create a service account key, download the JSON file to the instance, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
C.
Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the Compute Engine instance.
D.
Make the Cloud Storage bucket public.
How to approach this question
Identify the most secure way for a VM to authenticate to GCP services.
Full Answer
C.Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the Compute Engine instance.✓ Correct
Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the Compute Engine instance.
The best practice for granting a VM access to GCP services is to attach a Service Account to the VM. The application can then use Application Default Credentials (ADC) to automatically fetch short-lived access tokens from the VM's metadata server. This eliminates the need to download and manage static service account keys.
Common mistakes
Choosing to download a JSON key file. This is an anti-pattern when running code on GCP compute resources.
Practice the full GCP Associate Cloud Engineer Practice Exam 2
50 questions · hints · full answers · grading
More questions from this exam
Q01Your company is migrating to Google Cloud and needs to establish a resource hierarchy. You have t...EasyQ02You are managing access to a GCP project. You need to grant 15 developers the ability to view Com...MediumQ03You have created a new GCP project using the Cloud Console. You want to deploy a Cloud Function u...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...EasyQ05Your finance team wants to perform complex SQL analysis on your GCP billing data to understand co...Medium