Topic 1 Question 26
You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/devstorage.write_only'.
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/cloud-platform'.
Create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.
Create a service account and add it to the IAM role 'storage.objectAdmin' for that bucket.
ユーザの投票
コメント(17)
As per as the least privileage recommended by google, C is the correct Option, A is incorrect because the scope doesnt exist. B incorrect because it will give him full of control
👍 48coldpar2020/03/15In reviewing this, it looks to be a multiple answer question. According to Best Practices in this Google Doc (https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices) you grant the instance the scope and the permissions are determined by the IAM roles of the service account. In this case, you would grant the instance the scope and the role (storage.objectCreator) to the service account.
Ans B and C
Role from GCP Console: ID = roles/storage.objectCreator Role launch stage = General Availability Description = Access to create objects in GCS.
3 assigned permissions resourcemanager.projects.get resourcemanager.projects.list storage.objects.create
👍 16XRiddlerX2020/07/07- 正解だと思う選択肢: C
To allow a Compute Engine instance to write to a Cloud Storage bucket, you can create a service account and add it to the IAM role storage.objectCreator for that bucket.
This will grant the service account permission to create objects in the bucket. Therefore, Answer C is correct.
👍 3Buruguduystunstugudunstuy2023/02/18
シャッフルモード