ASSOCIATE-CLOUD-ENGINEER · Question #10
ASSOCIATE-CLOUD-ENGINEER Question #10: Real Exam Question with Answer & Explanation
The correct answer is C: Create a service account and add it to the IAM role `storage.objectCreator' for that bucket.. The question ask us to grant write object permission. You should not give a more broader permission as asked because it's against the principle of least privilege. objectCreator has this description: Allows users to create objects. Does not give permission to view, delete, or rep
Question
You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?
Options
- ACreate a service account with an access scope.
- BCreate a service account with an access scope.
- CCreate a service account and add it to the IAM role `storage.objectCreator' for that bucket.
- DCreate a service account and add it to the IAM role `storage.objectAdmin' for that bucket.
Explanation
The question ask us to grant write object permission. You should not give a more broader permission as asked because it's against the principle of least privilege. objectCreator has this description: Allows users to create objects. Does not give permission to view, delete, or replace objects. objectAdmin has this description: Grants full control over objects, including listing, creating, viewing, and deleting objects. The objectAdmin has unnecessary permissions that doesn't needed by the question context. https://cloud.google.com/storage/docs/access-control/iam-roles
Community Discussion
No community discussion yet for this question.