Domain 5.2: Managing service accounts — GCP ACE Practice Question 45

How to approach this question

Identify the best practice for authenticating applications running on GCP compute resources.

Full Answer

B.Create a custom service account, grant it the 'Storage Object Viewer' role on the bucket, and attach the service account to the VM.✓ Correct

The most secure way to grant an application running on Compute Engine access to other GCP services is to attach a Service Account to the VM. You grant the necessary IAM roles to the Service Account. The application can then transparently request short-lived access tokens from the VM's metadata server. This eliminates the need to manage, rotate, or store sensitive JSON keys.

Common mistakes

Choosing to download a JSON key. While this works, it is an anti-pattern when running inside GCP because keys can be leaked or stolen.

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the most secure way to grant the application access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 7

More questions from this exam

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket. What is the most secure way to grant the application access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 7

More questions from this exam

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the most secure way to grant the application access to the bucket?