C is the correct answer. It took me a while to figure it out because I didn't understand how service accounts work across project. This article made it clear for me. https://gtseres.medium.com/using-service-accounts-across-projects-in-gcp-cf9473fef8f0 You create the service account in proj-sa and take note of the service account email, then you go to proj-vm in IAM > ADD and add the service account's email as new member and give it the Compute Storage Admin role.

Option C is the right one

C seems more correct, because you want to use it, you need access for it

C is the answer

C is the correct answer. Compute Storage Admin (roles/compute.storageAdmin) has permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. The most common way to let an application authenticate as a service account is to attach a service account to the resource running the application. For example, you can attach a service account to a Compute Engine instance so that applications running on that instance can authenticate as the service account. Then, you can grant the service account IAM roles to let the service account—and, by extension, applications on the instance—access Google Cloud resources.

Answer C is correct. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm. To take snapshots of VMs running in another project, you need to grant the service account that will take the snapshots the necessary IAM role to perform the action. In this case, granting the service account in the proj-sa project the Compute Storage Admin role in the proj-vm project will allow it to take snapshots of VMs running in that project. Answers A and B are incorrect because they involve downloading and adding the private key of the service account to each VM, which is not necessary and potentially risky. Answer D is also incorrect because setting the service account's API scope for Compute Engine to read/write only grants it permission to perform actions on resources within the same project. https://cloud.google.com/iam/docs/creating-managing-service-accounts https://cloud.google.com/iam/docs/granting-roles-to-service-accounts

C. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

Safe to eliminate any options that demand transferring of private keys. NOT SAFE Hence, C.

Answer is C

C. is the correct answer Compute Storage Admin (roles/compute.storageAdmin) Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. Lowest-level resources where you can grant this role: Disk Image Snapshot Beta

go for C

https://cloud.google.com/compute/docs/access/iam#compute.storageAdmin

When a service account is in one project, and it accesses a resource in another project, you usually must enable the API for that resource in both projects. For example, if you have a service account in the project my-service-accounts and a Cloud SQL instance in the project my-application, you must enable the Cloud SQL API in both my-service-accounts and my-application.

C. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

C. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

C is correct

C. Compute Storage Admin role has this: compute.snapshots.*