Exam Associate Cloud Engineer topic 1 question 71 discussion

Correct Answer (A): IAM permissions IAM permissions determine who can access resources. All users, service accounts, and other identities that interact with Container Registry must have the appropriate Cloud Storage permissions. By default, Google Cloud use default service accounts to interact with resources within the same project. For example, the Cloud Build service account can both push and pull images when Container Registry is in the same project. You must configure or modify permissions yourself if: You are using a service account in one project to access Container Registry in a different project You are using a default service account with read-only access to storage, but you want to both pull and push images You are using a custom service account to interact with Container Registry https://cloud.google.com/container-registry/docs/access-control

A is correct... Container Registry uses Cloud Storage buckets as the underlying storage for container images. You control access to your images by granting appropriate Cloud Storage permissions to a user, group, service account, or other identity. If the service account needs to access Container Registry in another project, you must grant the required permissions in the project with Container Registry. Reference: https://cloud.google.com/container-registry/docs/access-control#permissions

Container Registry stores images in Cloud Storage buckets under gcr.io, us.gcr.io, etc. GKE nodes need permission to pull images from this registry.

A is correct

As per https://cloud.google.com/container-registry/docs/access-control. Container Registry is deprecated and scheduled for shutdown. After May 15, 2024, Artifact Registry will host images for the gcr.io domain in Google Cloud projects without previous Container Registry usage. After March 18, 2025, Container Registry will be shut down. Artifact Registry is the recommended service for container image storage and management on Google Cloud.

A is the correct answer , as granting this role allow to download the image

Grating Storage Object Viewer IAM Role to the service account used by Kubernetes nodes allow the nodes to download the images from Container registry.

Answer A. In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes. To ensure that Kubernetes can download container images from Container Registry, you need to grant the necessary permissions to the service account used by the Kubernetes nodes. In this case, you would need to grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes in the project where the images are stored. This role allows the service account to read objects from Cloud Storage buckets, including the container images in Container Registry.

Definitely A seems more practical and accurate.

CORRET ANS is A

Answer A is correct. Storage Object Viewer (roles/storage.objectViewer) -- Grant the role on the registry storage bucket. https://cloud.google.com/container-registry/docs/access-control

Storage Object viewer is enough, A is right.

Go for A. the option A is specific with the role that will be used. In GCP , the recommendations is using the specific permission. The others options not are specific and are not correct .

https://cloud.google.com/container-registry/docs/access-control

A is the correct answe because it follows google recommended practices to grant permissions to service accounts, also the object viewer is the appropiate role for the GKE to pull the image

A is the most obvious

A should be correct https://cloud.google.com/container-registry/docs/pushing-and-pulling#pulling_images_from_a_registry https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles