You have two GCP projects: 'Project-App' and 'Project-Data'. A Compute Engine VM in 'Project-App' needs to read data from a Cloud Storage bucket located in 'Project-Data'.

Which TWO steps are required to configure this cross-project access securely? (Select TWO)

Answer options:

Create a custom Service Account in 'Project-App' and attach it to the VM.

Create a custom Service Account in 'Project-Data' and attach it to the VM in 'Project-App'.

In 'Project-Data', grant the Storage Object Viewer role to the Service Account created in 'Project-App'.

Set up VPC Peering between 'Project-App' and 'Project-Data'.

Move the Cloud Storage bucket into 'Project-App'.

How to approach this question

Understand that Service Accounts are identities (email addresses) that can be granted permissions in ANY project.

Full Answer

To achieve cross-project access, you create the Service Account in the project where the compute resource lives ('Project-App') and attach it to the VM. Then, you go to the resource project ('Project-Data') and add that Service Account's email address to the IAM policy, granting it the necessary role (Storage Object Viewer).

Common mistakes

Thinking VPC peering is required for API access, or trying to create the SA in the data project.

Question 46 All questions Question 48

Practice the full GCP Associate Cloud Engineer Practice Exam 3

50 questions · hints · full answers · grading

More questions from this exam

Q01You are starting a new project in Google Cloud and need to create a new GCP project and enable th...Easy Q02A new team member has joined your operations team. They need to be able to view all Compute Engin...Medium Q03Your company is migrating to Google Cloud. You currently manage all employee identities in an on-...Medium Q04Your development team is experimenting with new GCP services in a sandbox project. The finance te...Medium Q05Your company wants to perform complex, custom SQL analysis on their Google Cloud billing data to ...Easy

View all 50 questions →