Answer: Grant IAM role to the VM service account

## Explanation The correct answer is **C) Grant IAM role to the VM service account**. ### Why this is correct: 1. **Service accounts** are the recommended way for VMs and other Google Cloud resources to authenticate and authorize access to Google Cloud services. 2. **IAM roles** provide fine-grained access control to Cloud Storage buckets and objects. 3. By granting the appropriate IAM role (such as `roles/storage.objectCreator` or `roles/storage.objectAdmin`) to the VM's service account, the VM can securely write objects without exposing credentials. 4. This approach follows the principle of least privilege and doesn't require managing or sharing user credentials. ### Why the other options are incorrect: - **A) Make the bucket public**: This is insecure as it allows anyone to access the bucket, not just the VM. - **B) Use ACLs**: While ACLs can be used, they are a legacy access control method and IAM roles are the recommended approach for Google Cloud resources. - **D) Share user credentials**: This is insecure and violates security best practices. User credentials should never be shared with VMs or applications. ### Best Practice: The recommended approach is to: 1. Create a service account for the VM 2. Grant the service account the appropriate IAM role for Cloud Storage access 3. Ensure the VM instance is configured to use that service account 4. The VM can then use the service account's credentials to authenticate and write objects to Cloud Storage securely.

Author: Rodrigo Sales