Option A is correct because attaching service accounts to resources like Compute Engine is both convenient and secure, aligning with Google's recommended practices. This approach minimizes changes by leveraging the VM's existing service account with the necessary IAM permissions. Option B is incorrect as it introduces unnecessary complexity by creating a new service account. Options C and D are incorrect due to the security risks associated with storing credentials in configuration files. Service account credentials should be managed securely, not deployed with applications, and user account credentials are unsuitable for application authentication on VM instances.