You have two projects: 'Project A' (where your Compute Engine VMs run) and 'Project B' (where your BigQuery datasets reside). The VMs in Project A need to run queries against the datasets in Project B.

Which TWO steps are required to configure this cross-project access securely? (Select TWO)

Google Cloud IAM supports cross-project access natively. A Service Account created in one project can be granted permissions in another project. To allow VMs in Project A to access BigQuery in Project B, you first identify the Service Account attached to the VMs in Project A. Then, you go to the IAM console in Project B, click 'Add', enter the email address of the Project A Service Account, and assign it the necessary BigQuery roles (e.g., BigQuery Data Viewer, BigQuery Job User). No keys need to be downloaded, and no network peering is required.