Explanation:
The correct answer is C. Google-recommended practice is to grant the least privilege necessary. The 'storage.objectCreator' IAM role allows for writing new objects to the bucket without providing excessive permissions. Option A is incorrect as the specified access scope does not exist. Option B is not ideal because it grants overly broad permissions to all Google Cloud Platform services. Option D is incorrect because the 'storage.objectAdmin' role grants full control over objects in the bucket, which exceeds the necessary permissions for the given task.
Ultimate access to all questions.
No comments yet.
To configure permissions for a set of Compute Engine instances allowing them to write data to a specific Cloud Storage bucket while adhering to Google's recommended practices, what steps should you take?
A
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/devstorage.write_only'.
B
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/cloud-platform'.
C
Create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.
D
Create a service account and add it to the IAM role 'storage.objectAdmin' for that bucket.