Explanation:
The correct approach involves creating a service account with minimal necessary permissions (upload to the bucket), generating a JSON key for this account, and using the gsutil signurl command with the -m PUT flag to specify the HTTP method for uploading. This ensures the signed URL is valid for 4 hours and restricts the operation to the specified file (po.pdf), adhering to the principle of least privilege and Google's recommended practices. Other options either misuse the gsutil signurl command parameters or violate security best practices by using overly permissive service accounts.
Ultimate access to all questions.
No comments yet.
Your supplier needs to upload a purchase order to a cloud storage bucket within the next 4 hours without having a Google account. Following Google's recommended practices, what should you do?
A
Create a JSON key for the Default Compute Engine Service Account and execute the command gsutil signurl -m PUT -d 4h gs:///**.
B
Create a service account with upload permissions to the bucket, a JSON key for it, and execute gsutil signurl -httpMethod PUT -d 4h gs:///**.
C
Create a service account with upload permissions to the bucket, a JSON key for it, and execute gsutil signurl -d 4h gs:///.
D
Create a service account with upload permissions to the bucket, a JSON key for it, and execute gsutil signurl -m PUT -d 4h gs:///po.pdf.