You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow
Google-recommended practices. What should you do?
You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow
Google-recommended practices. What should you do?
To enable Compute Engine instances to write data into a particular Cloud Storage bucket, you should create a service account and assign it the IAM role 'storage.objectCreator' for that bucket. This role allows the service account to create new objects in the bucket without granting unnecessary permissions. This follows the principle of least privilege, ensuring that the service account has only the access it needs to perform its tasks.
As per as the least privileage recommended by google, C is the correct Option, A is incorrect because the scope doesnt exist. B incorrect because it will give him full of control
The scope does exist - https://download.huihoo.com/google/gdgdevkit/DVD1/developers.google.com/compute/docs/api/how-tos/authorization.html
No it doesn't. You have read-only, read-write, full-control and others... but "write-only" is not a thing. https://cloud.google.com/storage/docs/authentication
it doesn't exist. show us this on official google website
Check here, it is A-> https://cloud.google.com/storage/docs/authentication https://cloud.google.com/storage/docs/authentication
In the Document, it includes https://www.googleapis.com/auth/devstorage.read_write scope
There is no scope called write-only, as per the reference document.
In the Document, 'write -only' does not exist. Just read-only
In reviewing this, it looks to be a multiple answer question. According to Best Practices in this Google Doc (https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices) you grant the instance the scope and the permissions are determined by the IAM roles of the service account. In this case, you would grant the instance the scope and the role (storage.objectCreator) to the service account. Ans B and C Role from GCP Console: ID = roles/storage.objectCreator Role launch stage = General Availability Description = Access to create objects in GCS. 3 assigned permissions resourcemanager.projects.get resourcemanager.projects.list storage.objects.create
There are many access scopes available to choose from, but a best practice is to set the cloud-platform access scope, which is an OAuth scope for most Google Cloud services, and then control the service account's access by granting it IAM roles..you have an app that reads and writes files on Cloud Storage, it must first authenticate to the Cloud Storage API. You can create an instance with the cloud-platform scope and attach a service account to the instance https://cloud.google.com/compute/docs/access/service-accounts
Reading the second point of the best practice. You should grant your VM the https://www.googleapis.com/auth/cloud-platform scope to allow access to most of Google Cloud APIs. So, that the IAM permissions are completely determined by the IAM roles you granted to the service account. The conclusion is you should not mess up with the VM scopes to grant access to Google Services, instead you should grant the access via IAM roles of the service account you attached to the VM. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices
C is correct answer
The correct answer is C. The other options are not accurate and go against the principle of giving least required access. A is incorrect as there is no role as write_only B is not a good option as it gives full control of google cloud services where as we are looking for write data into a particular cloud storage bucket D. is not a good option as it gives full control over objects Sources: https://cloud.google.com/storage/docs/authentication https://cloud.google.com/storage/docs/access-control/iam-roles
Option C is the correct answer. To grant a set of Compute Engine instances permissions to write data to a particular Cloud Storage bucket, you should create a service account and add it to the IAM role 'storage.objectCreator' for that bucket. This IAM role allows the service account to create new objects in the bucket, but it does not allow it to modify or delete existing objects. Option A is incorrect because the access scope 'https://www.googleapis.com/auth/devstorage.write_only' does not exist. Option B is incorrect because the access scope 'https://www.googleapis.com/auth/cloud-platform' grants permissions for all Google Cloud Platform services, which is overly broad and not recommended. Option D is incorrect because the IAM role 'storage.objectAdmin' provides full control over the bucket, which is more access than necessary to allow the Compute Engine instances to write data to the bucket.
Associate Cloud Engineer exam booked very soon. kindly share the all the questions and any other support exam to clear this
Hi Neha, Please let me know how your exam was? I am taking the exam soon. Thanks
should be A https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors
C is the correct answer
According to least priviliges, the correct answer is C
IAM Work on Principal of least privilege,
The correct answer is C. There is no role as write only its read only hence A is incorrect.
The ask is how the “Compute Engine instances to enable them to write data into a particular Cloud Storage bucket”. A service account is a special kind of account used by an application or compute workload, rather than a person. When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no resources can be accessed using the service account on that instance. The best Practice suggested by Google is refer in this link: https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice https://cloud.google.com/storage/docs/access-control/iam-roles shows that storage.objectCreator is best choice of the role for this problem statement.
C is correct
C is correct
c seems more correct, you need to go iam to provide the permissions , b and d will give it more or full access
storage.objectCreator contains sufficient privileges to do the job & so admin is not required
Correct answer is D
Correct answer is C