You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?
A.
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/devstorage.write_only'.
B.
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/cloud-platform'.
C.
Create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.
D.
Create a service account and add it to the IAM role 'storage.objectAdmin' for that bucket.
As per as the least privileage recommended by google, C is the correct Option, A is incorrect because the scope doesnt exist. B incorrect because it will give him full of control
No it doesn't. You have read-only, read-write, full-control and others... but "write-only" is not a thing.
https://cloud.google.com/storage/docs/authentication
In reviewing this, it looks to be a multiple answer question. According to Best Practices in this Google Doc (https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices) you grant the instance the scope and the permissions are determined by the IAM roles of the service account. In this case, you would grant the instance the scope and the role (storage.objectCreator) to the service account.
Ans B and C
Role from GCP Console:
ID = roles/storage.objectCreator
Role launch stage = General Availability
Description = Access to create objects in GCS.
3 assigned permissions
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
There are many access scopes available to choose from, but a best practice is to set the cloud-platform access scope, which is an OAuth scope for most Google Cloud services, and then control the service account's access by granting it IAM roles..you have an app that reads and writes files on Cloud Storage, it must first authenticate to the Cloud Storage API. You can create an instance with the cloud-platform scope and attach a service account to the instance
https://cloud.google.com/compute/docs/access/service-accounts
Reading the second point of the best practice. You should grant your VM the https://www.googleapis.com/auth/cloud-platform scope to allow access to most of Google Cloud APIs.
So, that the IAM permissions are completely determined by the IAM roles you granted to the service account.
The conclusion is you should not mess up with the VM scopes to grant access to Google Services, instead you should grant the access via IAM roles of the service account you attached to the VM.
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices
C. As you want to use predefined roles. and Admin give more permissions than asked for. ie just need to write permissions so storage.objectCreator only is needed.
The reason why A is not an answer.
The Activity log in the GCP Console is part of the Cloud Audit Logs but focuses on high-level admin activities, not specific data access or detailed operations like viewing files or adding metadata labels
You have sensitive data stored in three Cloud Storage buckets and have enabled data access logging. You want to verify activities for a particular user for these buckets, using the fewest possible steps. You need to verify the addition of metadata labels and which files have been viewed from those buckets. What should you do?
The correct answer is C.
The other options are not accurate and go against the principle of giving least required access.
A is incorrect as there is no role as write_only
B is not a good option as it gives full control of google cloud services where as we are looking for write data into a particular cloud storage bucket
D. is not a good option as it gives full control over objects
Sources:
https://cloud.google.com/storage/docs/authentication
https://cloud.google.com/storage/docs/access-control/iam-roles
The ask is how the “Compute Engine instances to enable them to write data into a particular Cloud Storage bucket”. A service account is a special kind of account used by an application or compute workload, rather than a person. When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no resources can be accessed using the service account on that instance.
The best Practice suggested by Google is refer in this link: https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice https://cloud.google.com/storage/docs/access-control/iam-roles shows that storage.objectCreator is best choice of the role for this problem statement.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
coldpar
Highly Voted 5 years, 3 months agojohnconnor
2 years, 11 months agoBedmed
2 years, 5 months agoCVGCP
2 years agokarim1321
2 years agorobor97
4 years, 6 months agogielda211
3 years, 2 months agopeter77
3 years, 9 months agoXRiddlerX
Highly Voted 4 years, 11 months agonickyshil
2 years, 10 months agoryumada
2 years, 10 months agokewgard
Most Recent 2 weeks, 2 days agoHanu17
5 months, 1 week agoHanu17
5 months, 1 week agoEnamfrancis
8 months, 4 weeks agoandreiboaghe95
1 year agoBAofBK
1 year, 7 months agogsmasad
1 year, 7 months agoYourCloudGuru
1 year, 8 months agoCaptain1212
1 year, 9 months agoNeha_Pallavi
1 year, 11 months agoShubha1
1 year, 10 months agoExamsFR
1 year, 11 months agorosh199
1 year, 11 months agoCVGCP
2 years agotrainingexam
2 years agoPraxii
2 years, 1 month agoAshish_Tayal
2 years, 2 months ago