ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 5.2: Managing service accountsService AccountsSecurityCompute EngineIAM

GCP ACE · Question 45 · Domain 5.2: Managing service accounts

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the most secure way to grant the application access to the bucket?

Answer options:

A.

Generate a service account JSON key, place it on the VM, and configure the application to use it.

B.

Create a custom service account, grant it the 'Storage Object Viewer' role on the bucket, and attach the service account to the VM.

C.

Make the Cloud Storage bucket public so the application can read it.

D.

Use your personal user account credentials and run 'gcloud auth login' on the VM.

How to approach this question

Identify the best practice for authenticating applications running on GCP compute resources.

Full Answer

B.Create a custom service account, grant it the 'Storage Object Viewer' role on the bucket, and attach the service account to the VM.✓ Correct
Create a custom service account, grant it the 'Storage Object Viewer' role on the bucket, and attach the service account to the VM.
The most secure way to grant an application running on Compute Engine access to other GCP services is to attach a Service Account to the VM. You grant the necessary IAM roles to the Service Account. The application can then transparently request short-lived access tokens from the VM's metadata server. This eliminates the need to manage, rotate, or store sensitive JSON keys.

Common mistakes

Choosing to download a JSON key. While this works, it is an anti-pattern when running inside GCP because keys can be leaked or stolen.
44All questions46

Practice the full GCP Associate Cloud Engineer Practice Exam 7

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new initiative and need to create a new Google Cloud project using the Cloud S...EasyQ02Your company is migrating to Google Cloud and wants to manage user identities centrally. They cur...MediumQ03You have just created a new Google Cloud project and want to deploy a containerized application u...MediumQ04Your finance team wants to perform complex SQL queries on your Google Cloud billing data to analy...MediumQ05You are managing a development project in Google Cloud. You want to ensure that you are notified ...Easy
View all 50 questions →