Google Associate Cloud Engineer
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
How should a VM securely write objects to Cloud Storage?
Simulated
Community
RRodrigo
A
Make the bucket public
B
Use ACLs
C
Grant IAM role to the VM service account
D
Share user credentials
Explanation:
Explanation
The correct answer is C) Grant IAM role to the VM service account.
Why this is correct:
- Service accounts are the recommended way for VMs and other Google Cloud resources to authenticate and authorize access to Google Cloud services.
- IAM roles provide fine-grained access control to Cloud Storage buckets and objects.
- By granting the appropriate IAM role (such as
roles/storage.objectCreatororroles/storage.objectAdmin) to the VM's service account, the VM can securely write objects without exposing credentials. - This approach follows the principle of least privilege and doesn't require managing or sharing user credentials.
Why the other options are incorrect:
- A) Make the bucket public: This is insecure as it allows anyone to access the bucket, not just the VM.
- B) Use ACLs: While ACLs can be used, they are a legacy access control method and IAM roles are the recommended approach for Google Cloud resources.
- D) Share user credentials: This is insecure and violates security best practices. User credentials should never be shared with VMs or applications.
Best Practice:
The recommended approach is to:
- Create a service account for the VM
- Grant the service account the appropriate IAM role for Cloud Storage access
- Ensure the VM instance is configured to use that service account
- The VM can then use the service account's credentials to authenticate and write objects to Cloud Storage securely.
Comments
Loading comments...