You manage a Google Cloud project (Project A) that is protected by a VPC Service Controls perimeter, which is currently blocking all API access, including Pub/Sub. A service account from a different, unprotected project (Project B) needs to consume messages from a Pub/Sub topic in Project A. You must grant this access following the principle of least privilege.

What should you do?

Exam-Like

Configure an ingress policy for the perimeter in Project A, and allow access for the service account in Project B to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Google Professional Cloud Security Engineer