Exam Professional Cloud Architect topic 2 question 3 discussion

Answer: C. https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platform There are two types of service account keys: GCP-managed keys. These keys are used by Cloud Platform services such as App Engine and Compute Engine. They cannot be downloaded, and are automatically rotated and used for signing for a maximum of two weeks. The rotation process is probabilistic; usage of the new key will gradually ramp up and down over the key's lifetime. We recommend caching the public key set for a service account for at most 24 hours to ensure that you always have access to the current key set. User-managed keys. These keys are created, downloadable, and managed by users. They expire 10 years from creation, and cease authenticating successfully when they are deleted from the service account.

Correct Answer : C Where will the code that assumes the identity of the service account be running: on Google Cloud Platform or on-premises? https://cloud.google.com/iam/docs/understanding-service-accounts

Answer: C

C is the right answer https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platfor

vote C

Answer is C

Answer C. Refer to first figure in https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platfor. It mentions using User Managed Keys for on-premises usage of services accounts and GCP managed keys for code running in GCP. Also in case study it emphasise using "managed services as much as possible". So this rules out A.

C. Provision service account keys for the on-premises infrastructure and use Google Cloud Platform (GCP) managed keys for the VMs

Answer C as per https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platform

Answer is C

When you provision service account keys for the on-premises infrastructure you must then manage them. So if the kyes are managed by GCP you must set up a process to rotate keys in the on-prem infrastructure. It is quite chalenging. Therefore I prefer option B.

I will go with A which is very similar to C but answer C suggest use Google Cloud Platform (GCP) managed keys for the VMs (there is no word : "ONL" for the VMs) but it's suggestion (this is how I perceive it) Answer A is copy/paste from link : https://cloud.google.com/iam/docs/understanding-service-accounts#migrating_data_to_google_cloud_platform A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: - Running workloads on virtual machines (VMs).(first part of answer A = and for the GCE virtual machines (VMs)) - Running workloads on on-premises workstations or data centers that call Google APIs. (Second part of answer A = Provision service account keys for the on-premises infrastructure)

Ans: C make sense of the service account for infrastructure and managed key for VM

A /B / C are all playing with words. But the key points is who need service account key. no matter where the key is managed. GCP managed or customer managed. Only the on-prom resource need the service account key. so, only C is right.

In C, the vm part is wrong. A VM doesn't use key directly from a conf point of view. It uses a service account that is linked with a key pair. the key could be managed by google or user managed. https://cloud.google.com/iam/docs/service-accounts#service_account_keys C is only playing with words... I would go with A.

C is ok

Accessing something from on-premise to google cloud done by using service accounts this days. Datastore for example: https://cloud.google.com/datastore/docs/activate Service account keys can be managed by google, or can be self-generated and public key uploaded. Question asks about provisioning service account keys during migration phase, when on-prem stuff needs access to datastore. C looks good. A looks good also, but a involves provisioning service account keys for cloud VM's -> it is done another way. you could give permissions to defsault compute service account per API, or create service account and give it appropriate premissions and choose while creating cloud VM. I can not see any point bothering with service accout keys for cloud VM's here. So i choose C.