Explanation:
The correct approach involves creating a service account with just the necessary permissions to access the bucket files, generating a JSON key for this account, and then using the gsutil signurl -d 1h command to create a signed URL that expires after 1 hour. The -d flag correctly specifies the duration for the URL's validity. Other options either use incorrect flags (-t, -p, -m) which are not supported for specifying time, or violate the principle of least privilege by using the Default Compute Engine Service Account. For more details, refer to Google's documentation on gsutil signurl.
Ultimate access to all questions.
No comments yet.
You need to share files from a Cloud Storage bucket with your suppliers for a limited time of 1 hour, following Google's recommended practices. What is the best approach?
A
Create a service account with minimal permissions to access the bucket files. Generate a JSON key for this account. Use the command gsutil signurl -p 60m gs:///.
B
Create a service account with minimal permissions to access the bucket files. Generate a JSON key for this account. Use the command gsutil signurl -d 1h gs:///**.
C
Generate a JSON key for the Default Compute Engine Service Account. Use the command gsutil signurl -t 60m gs:///*.*.
D
Create a service account with minimal permissions to access the bucket files. Generate a JSON key for this account. Use the command gsutil signurl -m 1h gs:///*.