Google Professional Cloud Developer

Get started today

Ultimate access to all questions.

Explanation:

The principle of least privilege requires granting only the necessary permissions. To enable a Cloud Function in Project A to write to a bucket in Project B, the function must use a service account from Project A (its own project) with the minimal role roles/storage.objectCreator assigned on the bucket in Project B.

Option A incorrectly creates the service account in Project B, which cannot be used directly by the Cloud Function in Project A (service accounts are project-specific).
Option B correctly creates a service account in Project A, deploys the function with it, and grants the required role on Project B's bucket, adhering to least privilege.
Option C uses Project A's default App Engine service account, which has broad permissions (Editor role by default), violating least privilege.
Option D uses Project B's default App Engine service account, which is invalid since the function in Project A cannot use a service account from another project without explicit impersonation setup (not mentioned here).

Explanation:

Option A incorrectly creates the service account in Project B, which cannot be used directly by the Cloud Function in Project A (service accounts are project-specific).
Option B correctly creates a service account in Project A, deploys the function with it, and grants the required role on Project B's bucket, adhering to least privilege.
Option C uses Project A's default App Engine service account, which has broad permissions (Editor role by default), violating least privilege.
Option D uses Project B's default App Engine service account, which is invalid since the function in Project A cannot use a service account from another project without explicit impersonation setup (not mentioned here).

Comments (0)

No comments yet.

You have two Google Cloud projects, named Project A and Project B. You need to deploy a Cloud Function in Project A that stores its output in a Cloud Storage bucket located in Project B while adhering to the principle of least privilege. How should you configure this setup?

Exam-Like

Create a Google service account in Project B. 2. Deploy the Cloud Function with the service account in Project A. 3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.

15.1%

Create a Google service account in Project A 2. Deploy the Cloud Function with the service account in Project A. 3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.

67.9%

Determine the default App Engine service account (PROJECT_ID@appspot.gserviceaccount.com) in Project A. 2. Deploy the Cloud Function with the default App Engine service account in Project A. 3. Assign the default App Engine service account the roles/storage.objectCreator role on the storage bucket residing in Project B.

13.2%

Powered ByGPT 5.4 powered

Determine the default App Engine service account (PROJECT_ID@appspot.gserviceaccount.com) in Project B. 2. Deploy the Cloud Function with the default App Engine service account in Project A. 3. Assign the default App Engine service account the roles/storage.objectCreator role on the storage bucket residing in Project B.