PROFESSIONAL-CLOUD-DEVELOPER · Question #232
You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access t
The correct answer is A. Create a user-managed service account with a custom Identity and Access Management (IAM). The principle of least privilege requires granting only the minimum permissions necessary. The correct approach is to create a dedicated user-managed service account and assign it a custom IAM role (or the narrowest predefined role such as roles/storage.objectAdmin scoped to the
Question
You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access to your application following the principle of least privilege. What should you do?
Options
- ACreate a user-managed service account with a custom Identity and Access Management (IAM)
- BCreate a user-managed service account with the Storage Admin Identity and Access
- CCreate a user-managed service account with the Project Editor Identity and Access Management
- DUse the default service account linked to the Cloud Run revision in production.
How the community answered
(24 responses)- A71% (17)
- B17% (4)
- C4% (1)
- D8% (2)
Explanation
The principle of least privilege requires granting only the minimum permissions necessary. The correct approach is to create a dedicated user-managed service account and assign it a custom IAM role (or the narrowest predefined role such as roles/storage.objectAdmin scoped to the specific bucket) that permits only the required read/write operations. This service account is then attached to the Cloud Run revision. Option B (Storage Admin) grants bucket-level admin rights including the ability to modify ACLs and delete buckets - far more than required. Option C (Project Editor) is a primitive role granting write access to almost all project resources - a severe over-privilege. Option D (default service account) is discouraged because default service accounts typically carry broad permissions and are shared across services, violating isolation.
Topics
Community Discussion
No community discussion yet for this question.