ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 5.2: Managing service accountsDomain 5Service AccountsSecurity Best PracticesCompute Engine

GCP ACE · Question 46 · Domain 5.2: Managing service accounts

You are deploying a custom application on a Compute Engine VM. The application needs to read configuration files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?

Answer options:

A.

Create a custom service account, grant it the roles/storage.objectViewer role on the bucket, and attach the service account to the VM.

B.

Use the default Compute Engine service account, as it automatically has Editor access to the project.

C.

Generate a JSON key for a service account, store it on the VM, and configure the application to authenticate using the key file.

D.

Make the Cloud Storage bucket public so the VM can read it without authentication.

How to approach this question

Apply the principle of least privilege. Avoid default accounts with broad access, and avoid managing physical keys when GCP can do it natively.

Full Answer

A.Create a custom service account, grant it the `roles/storage.objectViewer` role on the bucket, and attach the service account to the VM.✓ Correct
Create a custom service account, grant it the roles/storage.objectViewer role on the bucket, and attach the service account to the VM.
The best practice for granting VMs access to GCP resources is to create a user-managed (custom) service account, grant that specific account only the permissions it needs (e.g., `roles/storage.objectViewer` on the specific bucket), and attach that service account to the VM during creation. The application can then use Application Default Credentials (ADC) to authenticate securely without you ever needing to manage or download JSON keys.

Common mistakes

Using the default compute service account out of convenience, which grants the VM Editor access to the entire project.
45All questions47

Practice the full GCP Associate Cloud Engineer Practice Exam 5

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new initiative and need to create a new Google Cloud project using the command...EasyQ02A developer on your team needs to manage App Engine applications, including deploying new version...MediumQ03You have created a new Google Cloud project. You need to allow a specific group of developers to ...MediumQ04Which statement best describes the relationship between Google Cloud projects and billing accounts?EasyQ05Your company wants to be notified immediately in their Slack channel whenever their monthly Googl...Medium
View all 50 questions →