ASSOCIATE-CLOUD-ENGINEER · Question #60
ASSOCIATE-CLOUD-ENGINEER Question #60: Real Exam Question with Answer & Explanation
The correct answer is B: The read will not execute as IAM roles and scopes both determine what operations will be. This question assesses understanding of how IAM roles and VM access scopes interact when permissions conflict on Google Cloud.
Question
A VM instance is trying to read from a Cloud Storage bucket. IAM roles assigned to the VM service account allows the VM instance to read from the bucket. But the scopes assigned to the VM deny the reading bucket. What will happen when VM tries to read from the bucket?
Options
- AThe application performing the read will drop the read operation
- BThe read will not execute as IAM roles and scopes both determine what operations will be
- CThe read will succeed because the most permissive permission is allowed
- DThe read operation will execute, but a message will be sent to the Stackdriver Logging
Explanation
This question assesses understanding of how IAM roles and VM access scopes interact when permissions conflict on Google Cloud.
Common mistakes.
- A. The application will not just drop the read operation; the underlying Google Cloud security mechanisms will explicitly deny it.
- C. The read will not succeed because Google Cloud's security model for VMs is restrictive, requiring both IAM roles and VM access scopes to be permissive for an action to be allowed.
- D. While logging might occur, the primary outcome is that the read operation will be denied due to the scope restriction, not that it executes with a log message.
Concept tested. VM Instance Access Scopes and IAM Interaction
Reference. https://cloud.google.com/compute/docs/access/service-accounts#access_scopes_best_practice
Community Discussion
No community discussion yet for this question.