You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?

Answer options:

Generate a service account JSON key, place it on the VM, and configure the application to use it.

Use the default Compute Engine service account and grant it the 'Project Editor' role.

Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the VM.

Make the Cloud Storage bucket public.

How to approach this question

Identify the best practice for granting VMs access to GCP resources.

Full Answer

C.Create a custom service account, grant it the 'Storage Object Viewer' role, and attach it to the VM.✓ Correct

The most secure way to grant a Compute Engine VM access to GCP APIs is to create a dedicated, custom service account with only the specific permissions needed (least privilege), and attach that service account to the VM. The metadata server automatically provides short-lived, rotating credentials to the application, eliminating the need to manage static JSON keys.

Common mistakes

Downloading JSON keys to VMs, which is an anti-pattern for workloads running inside GCP.

Question 45 All questions Question 47

Practice the full GCP Associate Cloud Engineer Practice Exam 4

50 questions · hints · full answers · grading

More questions from this exam

Q01You have recently joined a new team and need to set up a new Google Cloud project for a developme...Easy Q02Your company uses Google Workspace. You need to grant a new developer, Alice, the ability to view...Medium Q03You have created a new GCP project and want to deploy a Compute Engine instance. However, when yo...Medium Q04Your startup has a strict monthly cloud budget of $500. You want to be notified via email when yo...Easy Q05Your finance team wants to analyze Google Cloud costs using standard SQL and build custom dashboa...Medium

View all 50 questions →