Domain 5.2: Managing service accounts — GCP ACE Practice Question 46

How to approach this question

Combine the concepts of least privilege and native VM authentication.

Full Answer

C.Create a custom service account, grant it the Storage Object Viewer role on the bucket, and attach the service account to the VM instance.✓ Correct

The most secure approach is to create a dedicated (custom) service account for the VM. Grant this service account only the specific role it needs (`roles/storage.objectViewer`) on the specific resource (the bucket). Finally, attach this service account to the VM. The application can then securely retrieve short-lived credentials from the VM's metadata server without needing hardcoded JSON keys.

Common mistakes

Using the default compute service account (which has broad Editor access by default) or manually managing JSON keys.

An application running on a Compute Engine VM needs to read files from a Cloud Storage bucket. What is the MOST secure way to grant the VM access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 1

More questions from this exam