nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #232

You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access t

The correct answer is A. Create a user-managed service account with a custom Identity and Access Management (IAM). The principle of least privilege requires granting only the minimum permissions necessary. The correct approach is to create a dedicated user-managed service account and assign it a custom IAM role (or the narrowest predefined role such as roles/storage.objectAdmin scoped to the

Implementing security for applications

Question

You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access to your application following the principle of least privilege. What should you do?

Options

  • ACreate a user-managed service account with a custom Identity and Access Management (IAM)
  • BCreate a user-managed service account with the Storage Admin Identity and Access
  • CCreate a user-managed service account with the Project Editor Identity and Access Management
  • DUse the default service account linked to the Cloud Run revision in production.

How the community answered

(24 responses)
  • A
    71% (17)
  • B
    17% (4)
  • C
    4% (1)
  • D
    8% (2)

Explanation

The principle of least privilege requires granting only the minimum permissions necessary. The correct approach is to create a dedicated user-managed service account and assign it a custom IAM role (or the narrowest predefined role such as roles/storage.objectAdmin scoped to the specific bucket) that permits only the required read/write operations. This service account is then attached to the Cloud Run revision. Option B (Storage Admin) grants bucket-level admin rights including the ability to modify ACLs and delete buckets - far more than required. Option C (Project Editor) is a primitive role granting write access to almost all project resources - a severe over-privilege. Option D (default service account) is discouraged because default service accounts typically carry broad permissions and are shared across services, violating isolation.

Topics

#IAM#Service Accounts#Cloud Run Security#Least Privilege

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice