Answer-first summary for fast verification
Answer: Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
The correct answer is C because it aligns with Google Cloud's recommended security practices. When an application runs on a Compute Engine instance with an attached service account that has read-only access to the Cloud Storage bucket, the application can securely retrieve credentials from the instance metadata server without storing sensitive credentials in application configuration files. This approach adheres to the principle of least privilege by granting only the necessary permissions and prevents global bucket access. Option B is less secure as it involves storing service account credentials in application configuration, which could be exposed. Option A uses IP-based ACLs which are less secure than identity-based access control and may not scale well. Option D only addresses encryption but doesn't control access to the bucket itself.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
An application running on a Compute Engine instance needs to access data in a Cloud Storage bucket. Your team's policy prohibits globally readable buckets and requires adherence to the principle of least privilege.
Which is the correct approach to meet this requirement?
A
Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
B
Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
C
Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
D
Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
No comments yet.