Topic 1 Question 134

Associate Cloud Engineer

Topic 1 Question 134
You built an application on your development laptop that uses Google Cloud services. Your application uses Application Default Credentials for authentication and works fine on your development laptop. You want to migrate this application to a Compute Engine virtual machine (VM) and set up authentication using Google- recommended practices and minimal changes. What should you do?
- Assign appropriate access for Google services to the service account used by the Compute Engine VM.
- Create a service account with appropriate access for Google services, and configure the application to use this account.
- Store credentials for service accounts with appropriate access for Google services in a config file, and deploy this config file with your application.
- Store credentials for your user account with appropriate access for Google services in a config file, and deploy this config file with your application.
解説
Reference: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

ユーザの投票
コメント(17)
- Correct Answer is (B):
  
  Best practices In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process:
  
  Create a new service account rather than using the Compute Engine default service account. Grant IAM roles to that service account for only the resources that it needs. Configure the instance to run as that service account. Grant the instance the https://www.googleapis.com/auth/cloud-platform scope to allow full access to all Google Cloud APIs, so that the IAM permissions of the instance are completely determined by the IAM roles of the service account. Avoid granting more access than necessary and regularly check your service account permissions to make sure they are up-to-date.
  
  https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices
  
  👍 51
  ESP_SAP2020/08/21
- I would choose: A. Assign appropriate access for Google services to the service account used by the Compute Engine VM. as there is no need to create a new service account.
  
  👍 20
  filco722020/08/11
- 正解だと思う選択肢: B
  B is correct.
  
  👍 2
  Tirthankar172022/06/10
シャッフルモード

解説

ユーザの投票

コメント(17)