ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 5.2: Managing service accountsDomain 5.2Service AccountsCompute EngineSecurity

GCP ACE · Question 45 · Domain 5.2: Managing service accounts

An application running on a Compute Engine VM needs to read files from a specific Cloud Storage bucket. You want to follow the principle of least privilege.

How should you grant the VM access to the bucket?

Answer options:

A.

Use the default Compute Engine service account and grant it the Storage Admin role.

B.

Create a custom Service Account, grant it the Storage Object Viewer role on the bucket, and attach the Service Account to the VM.

C.

Generate a Service Account JSON key and hardcode it into the application's source code.

D.

Make the Cloud Storage bucket public.

How to approach this question

Apply the principle of least privilege using Service Accounts attached to VMs.

Full Answer

B.Create a custom Service Account, grant it the Storage Object Viewer role on the bucket, and attach the Service Account to the VM.✓ Correct
Create a custom Service Account, grant it the Storage Object Viewer role on the bucket, and attach the Service Account to the VM.
To securely grant a VM access to GCP resources, you should create a user-managed (custom) Service Account, grant it only the necessary IAM roles (e.g., Storage Object Viewer), and attach it to the VM. The application can then use Application Default Credentials (ADC) to automatically authenticate without needing to manage JSON keys.

Common mistakes

Using the default compute service account, or downloading JSON keys to the VM.
44All questions46

Practice the full GCP Associate Cloud Engineer Practice Exam 3

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new project in Google Cloud and need to create a new GCP project and enable th...EasyQ02A new team member has joined your operations team. They need to be able to view all Compute Engin...MediumQ03Your company is migrating to Google Cloud. You currently manage all employee identities in an on-...MediumQ04Your development team is experimenting with new GCP services in a sandbox project. The finance te...MediumQ05Your company wants to perform complex, custom SQL analysis on their Google Cloud billing data to ...Easy
View all 50 questions →