ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Associate Cloud Engineer All Questions

View all questions & answers for the Associate Cloud Engineer exam
Go to Exam

Exam Associate Cloud Engineer topic 1 question 19 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 19
Topic #: 1
[All Associate Cloud Engineer Questions]

You have a Linux VM that must connect to Cloud SQL. You created a service account with the appropriate access rights. You want to make sure that the VM uses this service account instead of the default Compute Engine service account. What should you do?

  • A. When creating the VM via the web console, specify the service account under the 'Identity and API Access' section.
  • B. Download a JSON Private Key for the service account. On the Project Metadata, add that JSON as the value for the key compute-engine-service- account.
  • C. Download a JSON Private Key for the service account. On the Custom Metadata of the VM, add that JSON as the value for the key compute-engine- service-account.
  • D. Download a JSON Private Key for the service account. After creating the VM, ssh into the VM and save the JSON under ~/.gcloud/compute-engine-service- account.json.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Agents89 at May 2, 2020, 1:19 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Agents89
Highly Voted 4 years, 9 months ago
A is correct
upvoted 59 times
ashrafh
3 years, 5 months ago
I vote A https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances Changing the service account and access scopes for an instance If you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, or change an instance so that it runs as a service account that you created, instead of the Compute Engine default service account. However, Google recommends that you use the fine-grained IAM policies instead of relying on access scopes to control resource access for the service account. To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance. Hope this helps :)
upvoted 18 times
...
ready2rock
3 years, 8 months ago
How can this be? It says you HAVE a VM, meaning it's already created. A cannot be the solution.
upvoted 13 times
jiniguez
3 years, 1 month ago
As the comment says: "To change an instance's service account and access scopes, the instance must be temporarily stopped ... After changing the service account or access scopes, remember to restart the instance." So we can stop the instance, change the service account, then start it up again.
upvoted 3 times
...
...
boof
3 years, 4 months ago
A seems legit, the answer is worded poorly but is the most correct. --- https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes --- "To change an instance's service account and access scopes, the instance must be temporarily stopped ... After changing the service account or access scopes, remember to restart the instance." So we can stop the instance, change the service account, then start it up again.
upvoted 6 times
...
...
jabrrJ68w02ond1
Highly Voted 3 years, 1 month ago
Either the question or the answers are wrong. The question says that we HAVE a Linux VM, so we should strike all the answers that include "when creating the VM.." - on the other hand, adding JSON Tokens to VM metadata is terrible because it's readable in clear-text for everyone. So, what do we need to do here?
upvoted 13 times
...
warbon
Most Recent 1 week, 6 days ago
Selected Answer: A
The correct way to assign a specific service account to a VM is by specifying it during VM creation in the 'Identity and API Access' section. This ensures the VM uses the specified service account for authentication when accessing Google Cloud services. The other options, which involve manually downloading and managing JSON keys, are not recommended due to security risks and Google's best practices for managing service accounts.
upvoted 1 times
...
peddyua
3 weeks ago
Selected Answer: C
seems like A. doesn't fit. As it's ONLY valid only during the VM creation process. It allows you to assign a custom service account instead of the default one. However, if the VM is already created, you cannot use this method. C. correct answer gcloud compute instances stop VM_NAME --zone ZONE gcloud compute instances set-service-account VM_NAME \ --zone ZONE \ --service-account SERVICE_ACCOUNT_EMAIL gcloud compute instances start VM_NAME --zone ZONE
upvoted 1 times
...
Sanjai_I
1 month, 2 weeks ago
Selected Answer: C
Recommended approach: Download a JSON Private Key for the service account. On the Custom Metadata of the VM, add that JSON as the value for the key compute-service-account. This will allow the VM to use the specified service account for accessing Cloud SQL, without relying on the default Compute Engine service account. The other options are not suitable: Option A is for specifying a service account when creating a VM via the web console, but it's not applicable for an existing VM. Option B is incorrect, as the compute-engine-service-account key is not a valid key for storing a service account JSON key file. Option D is not the correct approach, as saving the JSON key file to ~/.gcloud/compute-engine-service-account.json is not a standard way to configure the service account for a VM.
upvoted 1 times
...
errorfetch
4 months, 2 weeks ago
Selected Answer: A
A is correct because the easiest solution is specifying the service account while creating the vm. if you dont specify the default compute engine account is chosen.
upvoted 2 times
...
nubelukita45852
4 months, 2 weeks ago
Selected Answer: A
Para asegurarse de que la máquina virtual utilice una cuenta de servicio específica en lugar de la predeterminada de Compute Engine, debes especificar la cuenta de servicio correcta al crear la máquina virtual. En la sección "Identidad y acceso a API", puedes seleccionar la cuenta de servicio adecuada para garantizar que las solicitudes y accesos a otros servicios, como Cloud SQL, se realicen usando los permisos asociados a esa cuenta de servicio. B, C y D implican el uso de claves privadas JSON, lo cual no es una práctica recomendada debido a los riesgos de seguridad asociados al manejo de claves manualmente.
upvoted 1 times
...
Timfdklfajlksdjlakf
5 months, 1 week ago
Selected Answer: A
A is correct.
upvoted 1 times
...
hmd2910
7 months, 3 weeks ago
The question implies that a Linux VM already exists and needs to be configured to use a specific service account instead of the default Compute Engine service account. This is crucial because it eliminates option A, which focuses on setting the service account during VM creation. Why Option C is Correct: Custom Metadata : Custom metadata is designed for VM-specific configuration. It's the ideal place to store service account credentials. compute-engine-service-account : This is the specific metadata key used to tell the VM which service account to use. JSON Private Key : This is the standard format for storing service account credentials.
upvoted 3 times
...
ccpmad
8 months, 1 week ago
Selected Answer: A
select the service account directly in vm options, when creating or editing the VM. JSON private key? what are you talking about. You are all wrong
upvoted 1 times
...
sinh
1 year ago
What documentation do you have on B, C, and D?
upvoted 1 times
...
geekywitcher
1 year, 1 month ago
Selected Answer: A
A is recommended way. C is correct but A is the recommended approach.
upvoted 1 times
...
saylar478
1 year, 3 months ago
Selected Answer: A
A is correct
upvoted 1 times
...
ezzar
1 year, 3 months ago
the key is not directly provided to the VM (normally) only Service account to use https://docs.bridgecrew.io/docs/bc_gcp_iam_2
upvoted 1 times
...
Evan7557
1 year, 3 months ago
A is correct Answer
upvoted 1 times
...
YourCloudGuru
1 year, 4 months ago
Selected Answer: D
The correct answer is D. This is the recommended approach, because it allows you to specify the service account that you want to use without having to modify the VM's metadata. The other options are not as good: Option A is not as good, because it requires you to specify the service account when creating the VM. This can be inconvenient if you need to update the service account later. Option B is not as good, because it requires you to modify the VM's metadata. This can be complex and error-prone. Option C is not as good, because it requires you to modify the VM's custom metadata. This is not a recommended approach, because custom metadata is intended for use by custom applications.
upvoted 2 times
...
vinodthakur49
1 year, 5 months ago
Selected Answer: C
we have to use the newly created account rather VM default/attached SA.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago