Answer-first summary for fast verification
Answer: Create IAM bindings for the VM’s service account and the required buckets that allow appropriate access to the data stored in the buckets.
Option B is the correct answer because it directly applies IAM bindings to the VM's service account for the required Cloud Storage buckets, adhering to the principle of least privilege and Google's recommended practices for service account-based authentication. This approach is secure, flexible for variable access requirements, and avoids unnecessary complexity. Option A (access scopes) is less suitable as it provides coarse-grained control and is not recommended for production. Option C (domain-wide delegation) is inappropriate as it's designed for G Suite/Workspace scenarios, not cross-project Cloud Storage access. Option D (using groups) adds unnecessary complexity for a single VM application, as noted in the community discussion and Google's documentation, making it less optimal than direct service account bindings.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have an application running on a Compute Engine VM that requires access to data in Cloud Storage buckets located in other Google Cloud projects. The specific buckets requiring access may change over time. How do you grant this access in accordance with Google Cloud's recommended practices?
A
Limit the VMs access to the Cloud Storage buckets by setting the relevant access scope of the VM.
B
Create IAM bindings for the VM’s service account and the required buckets that allow appropriate access to the data stored in the buckets.
C
Grant the VM's service account access to the required buckets by using domain-wide delegation.
D
Create a group and assign IAM bindings to the group for each bucket that the application needs to access. Assign the VM's service account to the group.
No comments yet.