Exam Associate Cloud Engineer topic 1 question 256 discussion

A. Using Identity-Aware Proxy (IAP): While IAP is a secure method of accessing Compute Engine instances, it typically requires a Google account for authentication, which the consultant does not have.

The correct answer is **C**. To allow an external consultant to access a Linux-based Compute Engine instance, you should: - Instruct the external consultant to generate an **SSH key pair**. This will result in a public key and a private key. - Request the **public key** from the consultant. The public key can be shared without compromising security. - Add the public key to the instance yourself. This will allow the consultant to authenticate with the Compute Engine instance. - Have the consultant access the instance through SSH with their **private key**. The private key should be kept secret and not shared. The other options (A, B, and D) are not correct because they either require the consultant to have a Google account, expose the instance to the public internet, or involve sharing the private key, which is a security risk.

The correct answer is C, why is option A discarded, being complementary with previous answers, see question number 152... It says it very clear, the auditor is connected through the VPN network, if we observe the documentation based on IAP, it is recommended for uses outside the VPN, (...IAP is a building block toward BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN....). My answer will be C https://cloud.google.com/iap/docs/external-identities

A. IAP can work with no google account.https://cloud.google.com/iap/docs/external-identities

https://cloud.google.com/iap/docs/external-identities.

Although its confusing and contradicting with Question 152, I would proceed to choose C for this. Question states no google account and the consultant is connected through VPN to the corporate network also its "an instant", not many..

This is correct. For IAP you need a google account. Read the damn question, it clearly states that he doesn't have a google account goshdarnit!

IMO answer is "A". IAP does not require Google account. There are other authentication methods supported by IAP too. Ref: https://cloud.google.com/iap/docs/authenticate-users-external-identities

A requires a Google account and the consultant has not. So it is C.

Should be A based on the previous questions

See responses on question #152 And https://cloud.google.com/iap/docs/external-identities. RE: IAP "This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical"

A (IAP) is the solution

Per ChatGPT, Option C provides a secure and recommended method for granting the external consultant access to the Compute Engine instance using SSH key authentication without the need for a Google account.

C. Instruct the external consultant to generate an SSH key pair, and request the public key from the consultant. Add the public key to the instance yourself, and have the consultant access the instance through SSH with their private key.