ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Developer All Questions

View all questions & answers for the Professional Cloud Developer exam
Go to Exam

Exam Professional Cloud Developer topic 1 question 256 discussion

Actual exam question from Google's Professional Cloud Developer
Question #: 256
Topic #: 1
[All Professional Cloud Developer Questions]

Your team is creating a serverless web application on Cloud Run. The application needs to access images stored in a private Cloud Storage bucket. You want to give the application Identity and Access Management (IAM) permission to access the images in the bucket, while also securing the services using Google-recommended best practices. What should you do?

  • A. Enforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.
  • B. Enforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.
  • C. Enforce signed URLs for the desired bucket. Create and update the Cloud Run service to use a user-managed service account. Grant the Storage Object Viewer IAM role on the bucket to the service account.
  • D. Enforce public access prevention for the desired bucket. Create and update the Cloud Run service to use a user-managed service account. Grant the Storage Object Viewer IAM role on the bucket to the service account.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by yokoyan at April 23, 2023, 7:25 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
JonathanSJ
11 months ago
Selected Answer: D
I will go for D. Option C sounds good, but as the service account only have the Storage Object Viewer role it can't generate signed URLs for files from bucket because need storage.object.get, then it's incorrect.
upvoted 1 times
...
__rajan__
1 year, 3 months ago
Selected Answer: D
This approach allows you to secure your Cloud Storage bucket by enforcing public access prevention, which prevents data from being accidentally shared with the public. By creating and updating the Cloud Run service to use a user-managed service account, you can ensure that only this service has access to the bucket. Granting the Storage Object Viewer IAM role on the bucket to the service account allows the service to read objects stored in the bucket.
upvoted 1 times
...
purushi
1 year, 4 months ago
Selected Answer: D
D is right. 1) Create service account with role of viewing the objects under Cloud storage bucket 2) Create policies to prevent public access to the bucket. A and C: Neither of these are close to the solution. B is somewhat closer but the statement "Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account" is wrong since we need to create service account for the application and not for VM.
upvoted 2 times
...
Writer
1 year, 8 months ago
Selected Answer: D
most secure and efficient way to give the application Identity and Access Management (IAM) permission to access the images in the bucket.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel