Domain 5.2: Managing service accounts — GCP ACE Practice Question 47

How to approach this question

Understand that Service Accounts are identities (email addresses) that can be granted permissions in ANY project.

Full Answer

Create a custom Service Account in 'Project-App' and attach it to the VM., In 'Project-Data', grant the Storage Object Viewer role to the Service Account created in 'Project-App'.

To achieve cross-project access, you create the Service Account in the project where the compute resource lives ('Project-App') and attach it to the VM. Then, you go to the resource project ('Project-Data') and add that Service Account's email address to the IAM policy, granting it the necessary role (Storage Object Viewer).

Common mistakes

Thinking VPC peering is required for API access, or trying to create the SA in the data project.

You have two GCP projects: 'Project-App' and 'Project-Data'. A Compute Engine VM in 'Project-App' needs to read data from a Cloud Storage bucket located in 'Project-Data'.

Which TWO steps are required to configure this cross-project access securely? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 3

More questions from this exam

You have two GCP projects: 'Project-App' and 'Project-Data'. A Compute Engine VM in 'Project-App' needs to read data from a Cloud Storage bucket located in 'Project-Data'. Which TWO steps are required to configure this cross-project access securely? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 3

More questions from this exam

You have two GCP projects: 'Project-App' and 'Project-Data'. A Compute Engine VM in 'Project-App' needs to read data from a Cloud Storage bucket located in 'Project-Data'.

Which TWO steps are required to configure this cross-project access securely? (Select TWO)