Answer-first summary for fast verification
Answer: Create a service account and assign it the IAM role ‘storage.objectCreator‘ for the specified bucket.
Option A is incorrect because the specified access scope ‘https://www.googleapis.com/auth/devstorage.write_only‘ does not exist and would only grant write-only access to Cloud Storage, which is insufficient for the app's needs. Option B is incorrect because while the ‘https://www.googleapis.com/auth/cloud-platform‘ scope grants full access to all Google Cloud services, it violates the principle of least privilege by providing unnecessary permissions. Option C is correct because the ‘storage.objectCreator‘ role is the minimal required role for writing data to a Cloud Storage bucket, aligning with Google's recommendation of granting least privilege. Option D is incorrect as the ‘storage.objectAdmin‘ role provides excessive permissions, including the ability to modify bucket settings and delete objects, which are not required for the app's functionality. For more information, refer to: - [Cloud Storage IAM Roles](https://cloud.google.com/storage/docs/access-control/iam-roles) - [IAM Recommender Overview](https://cloud.google.com/iam/docs/recommender-overview)
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your application is hosted on Compute Engine and utilizes application default credentials to interact with Google APIs. It requires permissions to write data to a specific Cloud Storage bucket. Adhering to Google's best practices, what is the most appropriate action to take?
A
Create a service account with an access scope and use ‘https://www.googleapis.com/auth/devstorage.write_only‘ as the access scope.
B
Create a service account with an access scope and use ‘https://www.googleapis.com/auth/cloud-platform‘ as the access scope.
C
Create a service account and assign it the IAM role ‘storage.objectCreator‘ for the specified bucket.
D
Create a service account and assign it the IAM role ‘storage.objectAdmin‘ for the specified bucket.
No comments yet.