PROFESSIONAL-CLOUD-DEVELOPER · Question #342
You are designing an application that shares PDF files containing time-sensitive information with users. The PDF files are saved in Cloud Storage. You need to provide secure access to the files. You h
The correct answer is A. Configure the application to generate signed URLs with an expiration time of 24 hours. Share the. Signed URLs are the correct tool here because they grant time-limited (24-hour expiry), object-level access to Cloud Storage without requiring the user to have a Google account. The application generates the signed URL using its service account credentials and shares it with the
Question
You are designing an application that shares PDF files containing time-sensitive information with users. The PDF files are saved in Cloud Storage. You need to provide secure access to the files. You have the following requirements:
- Users should only have access to files that they are allowed to view.
- Users should be able to request to read, write, or delete the PDF
files for 24 hours. Not all users of the application have a Google account. How should you provide access to data objects?
Options
- AConfigure the application to generate signed URLs with an expiration time of 24 hours. Share the
- BProvide users with the Service Account Token Creator IAM role to impersonate the application's
- CGenerate a service account that grants access to the POF files. Configure the application to
- DAssign the Storage Object User IAM role to users that request access to the PDF files. Set an
How the community answered
(47 responses)- A72% (34)
- B6% (3)
- C17% (8)
- D4% (2)
Explanation
Signed URLs are the correct tool here because they grant time-limited (24-hour expiry), object-level access to Cloud Storage without requiring the user to have a Google account. The application generates the signed URL using its service account credentials and shares it with the user. Option D (Storage Object User IAM role) requires users to have Google accounts and does not support time-limited access natively. Option B (Service Account Token Creator role) grants broad impersonation privileges to users, which is a security antipattern. Option C (generating a service account for users) is unscalable, insecure, and does not support non-Google users. Signed URLs are the standard Google-recommended pattern for this use case.
Topics
Community Discussion
No community discussion yet for this question.