Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam Associate Cloud Engineer topic 1 question 19 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 19
Topic #: 1
[All Associate Cloud Engineer Questions]

You have a Linux VM that must connect to Cloud SQL. You created a service account with the appropriate access rights. You want to make sure that the VM uses this service account instead of the default Compute Engine service account. What should you do?

  • A. When creating the VM via the web console, specify the service account under the 'Identity and API Access' section.
  • B. Download a JSON Private Key for the service account. On the Project Metadata, add that JSON as the value for the key compute-engine-service- account.
  • C. Download a JSON Private Key for the service account. On the Custom Metadata of the VM, add that JSON as the value for the key compute-engine- service-account.
  • D. Download a JSON Private Key for the service account. After creating the VM, ssh into the VM and save the JSON under ~/.gcloud/compute-engine-service- account.json.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
Reference:
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Agents89
Highly Voted 3 years, 11 months ago
A is correct
upvoted 49 times
ashrafh
2 years, 7 months ago
I vote A https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances Changing the service account and access scopes for an instance If you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, or change an instance so that it runs as a service account that you created, instead of the Compute Engine default service account. However, Google recommends that you use the fine-grained IAM policies instead of relying on access scopes to control resource access for the service account. To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance. Hope this helps :)
upvoted 16 times
...
ready2rock
2 years, 9 months ago
How can this be? It says you HAVE a VM, meaning it's already created. A cannot be the solution.
upvoted 12 times
jiniguez
2 years, 3 months ago
As the comment says: "To change an instance's service account and access scopes, the instance must be temporarily stopped ... After changing the service account or access scopes, remember to restart the instance." So we can stop the instance, change the service account, then start it up again.
upvoted 3 times
...
...
boof
2 years, 6 months ago
A seems legit, the answer is worded poorly but is the most correct. --- https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes --- "To change an instance's service account and access scopes, the instance must be temporarily stopped ... After changing the service account or access scopes, remember to restart the instance." So we can stop the instance, change the service account, then start it up again.
upvoted 6 times
...
...
jabrrJ68w02ond1
Highly Voted 2 years, 3 months ago
Either the question or the answers are wrong. The question says that we HAVE a Linux VM, so we should strike all the answers that include "when creating the VM.." - on the other hand, adding JSON Tokens to VM metadata is terrible because it's readable in clear-text for everyone. So, what do we need to do here?
upvoted 11 times
...
sinh
Most Recent 2 months, 1 week ago
What documentation do you have on B, C, and D?
upvoted 1 times
...
geekywitcher
3 months ago
Selected Answer: A
A is recommended way. C is correct but A is the recommended approach.
upvoted 1 times
...
saylar478
5 months ago
Selected Answer: A
A is correct
upvoted 1 times
...
ezzar
5 months, 1 week ago
the key is not directly provided to the VM (normally) only Service account to use https://docs.bridgecrew.io/docs/bc_gcp_iam_2
upvoted 1 times
...
Evan7557
5 months, 2 weeks ago
A is correct Answer
upvoted 1 times
...
YourCloudGuru
6 months ago
Selected Answer: D
The correct answer is D. This is the recommended approach, because it allows you to specify the service account that you want to use without having to modify the VM's metadata. The other options are not as good: Option A is not as good, because it requires you to specify the service account when creating the VM. This can be inconvenient if you need to update the service account later. Option B is not as good, because it requires you to modify the VM's metadata. This can be complex and error-prone. Option C is not as good, because it requires you to modify the VM's custom metadata. This is not a recommended approach, because custom metadata is intended for use by custom applications.
upvoted 1 times
...
vinodthakur49
7 months ago
Selected Answer: C
we have to use the newly created account rather VM default/attached SA.
upvoted 1 times
...
ExamsFR
8 months, 1 week ago
Selected Answer: A
A is correct
upvoted 3 times
...
rosh199
8 months, 1 week ago
A is correct
upvoted 2 times
...
geeroylenkins
8 months, 2 weeks ago
Selected Answer: A
A is correct. No idea why you'd add anything to metadata of an instance https://cloud.google.com/compute/docs/metadata/overview The SA can be specified in the web console during creation of the VM and also if the VM is stopped. This SA will then be used for everything that VM does. Therefore, A is correct.
upvoted 3 times
...
Neha_Pallavi
8 months, 2 weeks ago
C is the possible correct answer. Already VM instance created.
upvoted 2 times
...
Paras_vohrA
8 months, 2 weeks ago
Selected Answer: A
A is correct
upvoted 3 times
...
alany2000
9 months, 4 weeks ago
Selected Answer: A
compute-engine-service-account is not a valid metadata key, therefore its A
upvoted 3 times
...
Kyle1776
10 months, 1 week ago
Selected Answer: D
To ensure that a Linux VM uses a specific service account instead of the default Compute Engine service account when connecting to Cloud SQL, you should follow option D: Download a JSON Private Key for the service account. After creating the VM, ssh into the VM and save the JSON under ~/.gcloud/compute-engine-service-account.json.
upvoted 2 times
...
Shweta2jun
10 months, 2 weeks ago
Selected Answer: A
A is correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...