Your company pushes batches of sensitive transaction data from its application server VMs to Cloud Pub/Sub for processing and storage. What is the Google- recommended way for your application to authenticate to the required Google Cloud services?
A.
Ensure that VM service accounts are granted the appropriate Cloud Pub/Sub IAM roles.
B.
Ensure that VM service accounts do not have access to Cloud Pub/Sub, and use VM access scopes to grant the appropriate Cloud Pub/Sub IAM roles.
C.
Generate an OAuth2 access token for accessing Cloud Pub/Sub, encrypt it, and store it in Cloud Storage for access from each VM.
D.
Create a gateway to Cloud Pub/Sub using a Cloud Function, and grant the Cloud Function service account the appropriate Cloud Pub/Sub IAM roles.
It's because of questions like these that I do not feel guilty about using question banks :D In what world would you accept value requirements like this from your user? Wouldn't you ask "Do you want to just authenticate? or the data to be encrypted on its way to pub/sub?"
I'll ignore the first part of the question and assume all data is sensitive, and focus on "What is the Google- recommended way for your application to authenticate to the required Google Cloud services?" -- The answer then is A.
Use encryption and defense-in-depth for the first part.
> It's because of questions like these that I do not feel guilty about using question banks :D
Same. To me, it wasn't clear whether the servers were in google or not due to the question about accessing google cloud. It was asked as if the VMs were outside of google
A. Ensure that VM service accounts are granted the appropriate Cloud Pub/Sub IAM roles.
The Google-recommended way for your application to authenticate to Cloud Pub/Sub and other Google Cloud services when running on Compute Engine VMs is to use VM service accounts. VM service accounts are automatically created when you create a Compute Engine VM, and they are associated with the VM instance. To authenticate to Cloud Pub/Sub and other Google Cloud services, you should ensure that the VM service accounts are granted the appropriate IAM roles.
Option B, ensuring that VM service accounts do not have access to Cloud Pub/Sub and using VM access scopes to grant the appropriate Cloud Pub/Sub IAM roles, would not be a suitable solution because VM service accounts are required for authentication to Google Cloud services.
Option C, generating an OAuth2 access token for accessing Cloud Pub/Sub, encrypting it, and storing it in Cloud Storage for access from each VM, would not be a suitable solution because it would require manual management of access tokens, which can be error-prone and insecure.
Option D, creating a gateway to Cloud Pub/Sub using a Cloud Function and granting the Cloud Function service account the appropriate Cloud Pub/Sub IAM roles, would not be a suitable solution because it would not allow the application to directly authenticate to Cloud Pub/Sub.
A – ensure that VM service accounts are granted the appropriate Cloud Pub/Sub IAM roles.
Check Migrating Data to GCP section of this page:
https://cloud.google.com/iam/docs/understanding-service-accounts
You will create a service account key and use it from an external process to call Cloud Platform APIs.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AWS56
Highly Voted 4 years, 10 months agonitinz
3 years, 8 months agokumarp6
4 years agoJustJack21
Highly Voted 3 years, 2 months agobandegg
10 months, 1 week agoAMEJack
2 years, 1 month agored_panda
Most Recent 1 year, 5 months agoomermahgoub
1 year, 10 months agoomermahgoub
1 year, 10 months agoSur_Nikki
1 year, 6 months agomegumin
2 years agoMahmoud_E
2 years agoDrishaS4
2 years, 3 months agoPazzooo
2 years, 9 months agoelenamatay
2 years, 10 months agoharoldbenites
2 years, 11 months agovincy2202
2 years, 11 months agoMaxNRG
3 years agoBakili
3 years agoMamthaSJ
3 years, 4 months agovictory108
3 years, 5 months agoAzureDP900
2 years agoun
3 years, 5 months agokartikjena31
3 years, 7 months ago