You are deploying an application on a Compute Engine instance. The application needs to write logs to Cloud Logging and read configuration files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the application these permissions?

Answer options:

Use the default Compute Engine service account and leave the access scopes at their default settings.

Create a custom Service Account, grant it the specific roles needed for Logging and Storage, and attach this Service Account to the VM instance.

Generate a JSON key for a service account that has the required permissions and hardcode the key into the application's source code.

Grant the 'roles/owner' IAM role to the default Compute Engine service account.

How to approach this question

Apply the principle of least privilege. Avoid default service accounts (too broad) and avoid hardcoding keys.

Full Answer

B.Create a custom Service Account, grant it the specific roles needed for Logging and Storage, and attach this Service Account to the VM instance.✓ Correct

Create a custom Service Account, grant it the specific roles needed for Logging and Storage, and attach this Service Account to the VM instance.

The most secure way to grant permissions to an application running on Compute Engine is to use a user-managed (custom) Service Account. You create a new service account, grant it only the specific IAM roles required (e.g., Logs Writer, Storage Object Viewer), and then attach that service account to the VM instance during creation. The application can then automatically authenticate using Application Default Credentials without needing any hardcoded keys. Using the default Compute Engine service account is discouraged because it has the broad 'Editor' role by default.

Common mistakes

Using the default service account, or thinking you must download a JSON key to authenticate from a VM.

Question 45 All questions Question 47

Practice the full GCP Associate Cloud Engineer Practice Exam 6

50 questions · hints · full answers · grading

You are deploying an application on a Compute Engine instance. The application needs to write logs to Cloud Logging and read configuration files from a specific Cloud Storage bucket. What is the MOST secure way to grant the application these permissions?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 6

More questions from this exam

You are deploying an application on a Compute Engine instance. The application needs to write logs to Cloud Logging and read configuration files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the application these permissions?