You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?
A.
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/devstorage.write_only'.
B.
Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/cloud-platform'.
C.
Create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.
D.
Create a service account and add it to the IAM role 'storage.objectAdmin' for that bucket.
As per as the least privileage recommended by google, C is the correct Option, A is incorrect because the scope doesnt exist. B incorrect because it will give him full of control
No it doesn't. You have read-only, read-write, full-control and others... but "write-only" is not a thing.
https://cloud.google.com/storage/docs/authentication
In reviewing this, it looks to be a multiple answer question. According to Best Practices in this Google Doc (https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices) you grant the instance the scope and the permissions are determined by the IAM roles of the service account. In this case, you would grant the instance the scope and the role (storage.objectCreator) to the service account.
Ans B and C
Role from GCP Console:
ID = roles/storage.objectCreator
Role launch stage = General Availability
Description = Access to create objects in GCS.
3 assigned permissions
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
There are many access scopes available to choose from, but a best practice is to set the cloud-platform access scope, which is an OAuth scope for most Google Cloud services, and then control the service account's access by granting it IAM roles..you have an app that reads and writes files on Cloud Storage, it must first authenticate to the Cloud Storage API. You can create an instance with the cloud-platform scope and attach a service account to the instance
https://cloud.google.com/compute/docs/access/service-accounts
Reading the second point of the best practice. You should grant your VM the https://www.googleapis.com/auth/cloud-platform scope to allow access to most of Google Cloud APIs.
So, that the IAM permissions are completely determined by the IAM roles you granted to the service account.
The conclusion is you should not mess up with the VM scopes to grant access to Google Services, instead you should grant the access via IAM roles of the service account you attached to the VM.
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices
The reason why A is not an answer.
The Activity log in the GCP Console is part of the Cloud Audit Logs but focuses on high-level admin activities, not specific data access or detailed operations like viewing files or adding metadata labels
You have sensitive data stored in three Cloud Storage buckets and have enabled data access logging. You want to verify activities for a particular user for these buckets, using the fewest possible steps. You need to verify the addition of metadata labels and which files have been viewed from those buckets. What should you do?
The correct answer is C.
The other options are not accurate and go against the principle of giving least required access.
A is incorrect as there is no role as write_only
B is not a good option as it gives full control of google cloud services where as we are looking for write data into a particular cloud storage bucket
D. is not a good option as it gives full control over objects
Sources:
https://cloud.google.com/storage/docs/authentication
https://cloud.google.com/storage/docs/access-control/iam-roles
The ask is how the “Compute Engine instances to enable them to write data into a particular Cloud Storage bucket”. A service account is a special kind of account used by an application or compute workload, rather than a person. When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no resources can be accessed using the service account on that instance.
The best Practice suggested by Google is refer in this link: https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice https://cloud.google.com/storage/docs/access-control/iam-roles shows that storage.objectCreator is best choice of the role for this problem statement.
Option C is the correct answer. To grant a set of Compute Engine instances permissions to write data to a particular Cloud Storage bucket, you should create a service account and add it to the IAM role 'storage.objectCreator' for that bucket. This IAM role allows the service account to create new objects in the bucket, but it does not allow it to modify or delete existing objects. Option A is incorrect because the access scope 'https://www.googleapis.com/auth/devstorage.write_only' does not exist. Option B is incorrect because the access scope 'https://www.googleapis.com/auth/cloud-platform' grants permissions for all Google Cloud Platform services, which is overly broad and not recommended. Option D is incorrect because the IAM role 'storage.objectAdmin' provides full control over the bucket, which is more access than necessary to allow the Compute Engine instances to write data to the bucket.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
coldpar
Highly Voted 5 years, 1 month agojohnconnor
2 years, 10 months agoBedmed
2 years, 4 months agoCVGCP
1 year, 11 months agokarim1321
1 year, 10 months agorobor97
4 years, 4 months agogielda211
3 years agopeter77
3 years, 7 months agoXRiddlerX
Highly Voted 4 years, 9 months agonickyshil
2 years, 8 months agoryumada
2 years, 8 months agoHanu17
Most Recent 3 months, 2 weeks agoHanu17
3 months, 2 weeks agoEnamfrancis
7 months agoandreiboaghe95
10 months, 2 weeks agoBAofBK
1 year, 5 months agogsmasad
1 year, 5 months agoYourCloudGuru
1 year, 6 months agoCaptain1212
1 year, 7 months agoNeha_Pallavi
1 year, 9 months agoShubha1
1 year, 8 months agoExamsFR
1 year, 9 months agorosh199
1 year, 9 months agoCVGCP
1 year, 11 months agotrainingexam
1 year, 11 months agoPraxii
2 years agoAshish_Tayal
2 years agosmanoj85
2 years, 1 month ago