Topic 2 Question 3
JencoMart has decided to migrate user profile storage to Google Cloud Datastore and the application servers to Google Compute Engine (GCE). During the migration, the existing infrastructure will need access to Datastore to upload the data. What service account key-management strategy should you recommend?
Provision service account keys for the on-premises infrastructure and for the GCE virtual machines (VMs)
Authenticate the on-premises infrastructure with a user account and provision service account keys for the VMs
Provision service account keys for the on-premises infrastructure and use Google Cloud Platform (GCP) managed keys for the VMs
Deploy a custom authentication service on GCE/Google Kubernetes Engine (GKE) for the on-premises infrastructure and use GCP managed keys for the VMs
解説
Migrating data to Google Cloud Platform Let's say that you have some data processing that happens on another cloud provider and you want to transfer the processed data to Google Cloud Platform. You can use a service account from the virtual machines on the external cloud to push the data to Google Cloud Platform. To do this, you must create and download a service account key when you create the service account and then use that key from the external process to call the Cloud Platform APIs. Reference: https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platform
ユーザの投票
コメント(17)
There are two types of service account keys:
GCP-managed keys. These keys are used by Cloud Platform services such as App Engine and Compute Engine. They cannot be downloaded, and are automatically rotated and used for signing for a maximum of two weeks. The rotation process is probabilistic; usage of the new key will gradually ramp up and down over the key's lifetime. We recommend caching the public key set for a service account for at most 24 hours to ensure that you always have access to the current key set.
User-managed keys. These keys are created, downloadable, and managed by users. They expire 10 years from creation, and cease authenticating successfully when they are deleted from the service account.
👍 27Zarmi2020/05/05Correct Answer : C Where will the code that assumes the identity of the service account be running: on Google Cloud Platform or on-premises? https://cloud.google.com/iam/docs/understanding-service-accounts
👍 8shashu072020/06/16I will go with A which is very similar to C but answer C suggest use Google Cloud Platform (GCP) managed keys for the VMs (there is no word : "ONL" for the VMs) but it's suggestion (this is how I perceive it) Answer A is copy/paste from link : https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platform
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.
Typically, service accounts are used in scenarios such as:
- Running workloads on virtual machines (VMs).(first part of answer A = and for the GCE virtual machines (VMs))
- Running workloads on on-premises workstations or data centers that call Google APIs. (Second part of answer A = Provision service account keys for the on-premises infrastructure)
👍 4AGG2021/02/15
シャッフルモード