Domain 5.2: Managing service accounts — GCP ACE Practice Question 46

How to approach this question

Identify the best practice for granting VMs access to GCP resources.

Full Answer

C.Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the VM.✓ Correct

Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the VM.

The most secure way to grant a Compute Engine VM access to GCP APIs is to create a dedicated, custom service account with only the specific permissions needed (least privilege), and attach that service account to the VM. The metadata server automatically provides short-lived, rotating credentials to the application, eliminating the need to manage static JSON keys.

Common mistakes

Downloading JSON keys to VMs, which is an anti-pattern for workloads running inside GCP.

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 4

More questions from this exam

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket. What is the MOST secure way to grant the VM access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 4

More questions from this exam

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?