Answer-first summary for fast verification
Answer: 1. Create a Google service account in Project A 2. Deploy the Cloud Function with the service account in Project A. 3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
The principle of least privilege requires granting only the necessary permissions. To enable a Cloud Function in Project A to write to a bucket in Project B, the function must use a service account from Project A (its own project) with the minimal role `roles/storage.objectCreator` assigned on the bucket in Project B. - **Option A** incorrectly creates the service account in Project B, which cannot be used directly by the Cloud Function in Project A (service accounts are project-specific). - **Option B** correctly creates a service account in Project A, deploys the function with it, and grants the required role on Project B's bucket, adhering to least privilege. - **Option C** uses Project A's default App Engine service account, which has broad permissions (Editor role by default), violating least privilege. - **Option D** uses Project B's default App Engine service account, which is invalid since the function in Project A cannot use a service account from another project without explicit impersonation setup (not mentioned here).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have two Google Cloud projects, named Project A and Project B. You need to deploy a Cloud Function in Project A that stores its output in a Cloud Storage bucket located in Project B while adhering to the principle of least privilege. How should you configure this setup?
A
B
C
D