Explanation:
A is correct because assigning distinct service accounts to each Compute Engine instance is a recommended practice for granular access control. This approach allows each instance to have specific roles and permissions, ensuring fine-grained management over resource and API access. B is incorrect because setting the service account name in metadata does not facilitate granular access control; metadata serves for configuration, not permission management. C is incorrect as updating an instance post-creation to add a service account is unnecessary when it can be specified at creation. The gcloud compute instances update command does not support service account assignment for permission purposes. D is incorrect for the same reason as B; metadata cannot be used to manage API access permissions. For more details, refer to Google Cloud's documentation on service accounts.
Ultimate access to all questions.
No comments yet.
Your company has launched a social media app named ‘Pony’, which consists of multiple sub-applications deployed on Compute Engine within the same GCP project. What is the best method to assign specific permissions to each instance that interacts with Google Cloud APIs?
A
Assign a unique service account to each instance for precise access control.
B
Specify the service account name through instance metadata during creation.
C
Use the gcloud compute instances update command post-creation to assign a service account to each instance.
D
Post-creation, utilize the gcloud compute instances update command to add the service account name as instance metadata.