You have deployed an application on a Compute Engine instance. An external consultant needs to access the Linux-based instance. The consultant is connected to your corporate network through a VPN connection, but the consultant has no Google account. What should you do?
To provide access to a Linux-based Compute Engine instance for an external consultant who does not have a Google account but is connected to the corporate network through VPN, you should instruct the consultant to generate an SSH key pair. Request the public key from the consultant, add the public key to the instance yourself, and then have the consultant access the instance through SSH using their private key. This method ensures secure and authenticated access without requiring a Google account.
A. Using Identity-Aware Proxy (IAP): While IAP is a secure method of accessing Compute Engine instances, it typically requires a Google account for authentication, which the consultant does not have.
Per ChatGPT, Option C provides a secure and recommended method for granting the external consultant access to the Compute Engine instance using SSH key authentication without the need for a Google account.
The correct answer is **C**. To allow an external consultant to access a Linux-based Compute Engine instance, you should: - Instruct the external consultant to generate an **SSH key pair**. This will result in a public key and a private key. - Request the **public key** from the consultant. The public key can be shared without compromising security. - Add the public key to the instance yourself. This will allow the consultant to authenticate with the Compute Engine instance. - Have the consultant access the instance through SSH with their **private key**. The private key should be kept secret and not shared. The other options (A, B, and D) are not correct because they either require the consultant to have a Google account, expose the instance to the public internet, or involve sharing the private key, which is a security risk.
See responses on question #152 And https://cloud.google.com/iap/docs/external-identities. RE: IAP "This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical"
but the consultant is already in the corporate network through VPN, no need an external access
C. Instruct the external consultant to generate an SSH key pair, and request the public key from the consultant. Add the public key to the instance yourself, and have the consultant access the instance through SSH with their private key.
A (IAP) is the solution
Should be A based on the previous questions
A requires a Google account and the consultant has not. So it is C.
IMO answer is "A". IAP does not require Google account. There are other authentication methods supported by IAP too. Ref: https://cloud.google.com/iap/docs/authenticate-users-external-identities