Answer-first summary for fast verification
Answer: Create a user-managed service account with a custom Identity and Access Management (IAM) role.
The principle of least privilege requires granting only the minimum permissions necessary. The default service account (Option D) and Project Editor role (Option C) are overly broad. The Storage Admin role (Option B) includes permissions beyond read/write (e.g., bucket management), which are unnecessary here. Creating a user-managed service account with a custom IAM role (Option A) allows tailoring permissions to **only** Cloud Storage object read/write actions (e.g., `storage.objects.get` and `storage.objects.create`), adhering to least privilege. This approach is more precise than predefined roles in this scenario.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have a Python application running in production on Cloud Run that needs to read and write data from a Cloud Storage bucket in the same project. How do you grant the application access while adhering to the principle of least privilege?
A
Create a user-managed service account with a custom Identity and Access Management (IAM) role.
B
Create a user-managed service account with the Storage Admin Identity and Access Management (IAM) role.
C
Create a user-managed service account with the Project Editor Identity and Access Management (IAM) role.
D
Use the default service account linked to the Cloud Run revision in production.
No comments yet.