Answer: Signed URL with expiration

## Explanation **Correct Answer: B) Signed URL with expiration** **Why this is the best solution:** 1. **Time-limited access**: Signed URLs can be configured with a specific expiration time (4 hours in this case), after which the URL becomes invalid. 2. **Secure sharing**: The object remains private in the bucket - only users with the signed URL can access it. 3. **No authentication required**: External users don't need Google accounts to access the object. 4. **No bucket policy changes**: The bucket remains private, maintaining security. **Why other options are incorrect:** - **A) Make bucket public temporarily**: This is insecure as it exposes the entire bucket to the public internet, not just the specific object for the specific user. - **C) Create a Google account**: This is unnecessary overhead for temporary access and requires the external user to have/manage a Google account. - **D) Use VPC Service Controls**: This is for network perimeter security and doesn't address temporary object sharing with external users. **How to implement:** ```bash # Generate a signed URL with 4-hour expiration gsutil signurl -d 4h key.json gs://bucket-name/object-name ``` This approach provides the precise, time-limited, secure access required for the scenario.

Author: Rodrigo Sales