ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 5.2: Managing service accountsCompute EngineService AccountsSecurityLeast Privilege

GCP ACE · Question 46 · Domain 5.2: Managing service accounts

You are deploying an application on a Compute Engine instance. The application needs to write logs to Cloud Logging and read configuration files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the application these permissions?

Answer options:

A.

Use the default Compute Engine service account and leave the access scopes at their default settings.

B.

Create a custom Service Account, grant it the specific roles needed for Logging and Storage, and attach this Service Account to the VM instance.

C.

Generate a JSON key for a service account that has the required permissions and hardcode the key into the application's source code.

D.

Grant the 'roles/owner' IAM role to the default Compute Engine service account.

How to approach this question

Apply the principle of least privilege. Avoid default service accounts (too broad) and avoid hardcoding keys.

Full Answer

B.Create a custom Service Account, grant it the specific roles needed for Logging and Storage, and attach this Service Account to the VM instance.✓ Correct
The most secure way to grant permissions to an application running on Compute Engine is to use a user-managed (custom) Service Account. You create a new service account, grant it only the specific IAM roles required (e.g., Logs Writer, Storage Object Viewer), and then attach that service account to the VM instance during creation. The application can then automatically authenticate using Application Default Credentials without needing any hardcoded keys. Using the default Compute Engine service account is discouraged because it has the broad 'Editor' role by default.

Common mistakes

Using the default service account, or thinking you must download a JSON key to authenticate from a VM.
45All questions47

Practice the full GCP Associate Cloud Engineer Practice Exam 6

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01What is the primary purpose of a Google Cloud project?EasyQ02Your development team needs to manage Compute Engine instances in a specific project. They need t...MediumQ03You are automating the setup of a new Google Cloud project using a bash script. You need to enabl...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...MediumQ05Your finance team wants to perform granular analysis of your Google Cloud spending using SQL. The...Hard
View all 50 questions →