Answer-first summary for fast verification
Answer: Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Option B is correct because it adheres to the principle of least privilege, which is a Google-recommended security practice. The service account only needs the compute.instances.list permission to list Compute Engine instances, and creating a custom role with this single permission provides the minimal required access. Option A is incorrect as it uses Compute Engine Access Scopes, which are legacy and not recommended for fine-grained access control. Option C (Compute Viewer) and Option D (Project Viewer) are overly permissive, granting additional permissions beyond just listing instances, such as viewing other Compute Engine resources or project-wide resources, violating least privilege. The community discussion strongly supports B with high upvotes, emphasizing least privilege and the specific permission requirement.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to create a new Service Account that can list Compute Engine instances in a project while adhering to Google's recommended practices. What should you do?
A
Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
B
Create a custom role with the permission compute.instances.list and grant the Service Account this role.
C
Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
D
Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
No comments yet.