Domain 5.2: Managing service accounts — GCP ACE Practice Question 46

How to approach this question

Apply the principle of least privilege. Avoid default accounts with broad access, and avoid managing physical keys when GCP can do it natively.

Full Answer

A.Create a custom service account, grant it the `roles/storage.objectViewer` role on the bucket, and attach the service account to the VM.✓ Correct

The best practice for granting VMs access to GCP resources is to create a user-managed (custom) service account, grant that specific account only the permissions it needs (e.g., `roles/storage.objectViewer` on the specific bucket), and attach that service account to the VM during creation. The application can then use Application Default Credentials (ADC) to authenticate securely without you ever needing to manage or download JSON keys.

Common mistakes

Using the default compute service account out of convenience, which grants the VM Editor access to the entire project.

You are deploying a custom application on a Compute Engine VM. The application needs to read configuration files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 5

More questions from this exam

You are deploying a custom application on a Compute Engine VM. The application needs to read configuration files from a specific Cloud Storage bucket. What is the MOST secure way to grant the VM access to the bucket?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 5

More questions from this exam

You are deploying a custom application on a Compute Engine VM. The application needs to read configuration files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?