Exam Associate Cloud Engineer topic 1 question 26 discussion

As per as the least privileage recommended by google, C is the correct Option, A is incorrect because the scope doesnt exist. B incorrect because it will give him full of control

In reviewing this, it looks to be a multiple answer question. According to Best Practices in this Google Doc (https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices) you grant the instance the scope and the permissions are determined by the IAM roles of the service account. In this case, you would grant the instance the scope and the role (storage.objectCreator) to the service account. Ans B and C Role from GCP Console: ID = roles/storage.objectCreator Role launch stage = General Availability Description = Access to create objects in GCS. 3 assigned permissions resourcemanager.projects.get resourcemanager.projects.list storage.objects.create

C because of 'storage.objectCreator'

Correct answer is C

Correct answer is D

storage.objectCreator contains sufficient privileges to do the job & so admin is not required

The correct answer is C. The other options are not accurate and go against the principle of giving least required access. A is incorrect as there is no role as write_only B is not a good option as it gives full control of google cloud services where as we are looking for write data into a particular cloud storage bucket D. is not a good option as it gives full control over objects Sources: https://cloud.google.com/storage/docs/authentication https://cloud.google.com/storage/docs/access-control/iam-roles

c seems more correct, you need to go iam to provide the permissions , b and d will give it more or full access

Associate Cloud Engineer exam booked very soon. kindly share the all the questions and any other support exam to clear this

C is correct

C is correct

C is correct answer

The ask is how the “Compute Engine instances to enable them to write data into a particular Cloud Storage bucket”. A service account is a special kind of account used by an application or compute workload, rather than a person. When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no resources can be accessed using the service account on that instance. The best Practice suggested by Google is refer in this link: https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice 
https://cloud.google.com/storage/docs/access-control/iam-roles shows that storage.objectCreator is best choice of the role for this problem statement.

The correct answer is C. There is no role as write only its read only hence A is incorrect.

IAM Work on Principal of least privilege,

Option C is the correct answer. To grant a set of Compute Engine instances permissions to write data to a particular Cloud Storage bucket, you should create a service account and add it to the IAM role 'storage.objectCreator' for that bucket. This IAM role allows the service account to create new objects in the bucket, but it does not allow it to modify or delete existing objects. Option A is incorrect because the access scope 'https://www.googleapis.com/auth/devstorage.write_only' does not exist. Option B is incorrect because the access scope 'https://www.googleapis.com/auth/cloud-platform' grants permissions for all Google Cloud Platform services, which is overly broad and not recommended. Option D is incorrect because the IAM role 'storage.objectAdmin' provides full control over the bucket, which is more access than necessary to allow the Compute Engine instances to write data to the bucket.

According to least priviliges, the correct answer is C