You have one project called proj-sa where you manage all your service accounts. You want to be able to use a service account from this project to take snapshots of VMs running in another project called proj-vm. What should you do?
A.
Download the private key from the service account, and add it to each VMs custom metadata.
B.
Download the private key from the service account, and add the private key to each VM's SSH keys.
C.
Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.
D.
When creating the VMs, set the service account's API scope for Compute Engine to read/write.
C is the correct answer.
It took me a while to figure it out because I didn't understand how service accounts work across project. This article made it clear for me. https://gtseres.medium.com/using-service-accounts-across-projects-in-gcp-cf9473fef8f0
You create the service account in proj-sa and take note of the service account email, then you go to proj-vm in IAM > ADD and add the service account's email as new member and give it the Compute Storage Admin role.
As of now, service accounts may be impersonated (new-term). AKA, you can create a service account in one project and then impersonate it in others. Essentially, it involves the same steps as what the medium article suggests (create a service account in the principal (main) project and then add the email of the main project to the project you want to impersonate) https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-sa-level
I have tried C, it doesn't work. Also, this refers to a different Principal (user) impersonating a Service Account which is a different case from what is in the question.
C is the correct answer.
Compute Storage Admin (roles/compute.storageAdmin) has permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.
The most common way to let an application authenticate as a service account is to attach a service account to the resource running the application. For example, you can attach a service account to a Compute Engine instance so that applications running on that instance can authenticate as the service account. Then, you can grant the service account IAM roles to let the service account—and, by extension, applications on the instance—access Google Cloud resources.
Answer C is correct. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.
To take snapshots of VMs running in another project, you need to grant the service account that will take the snapshots the necessary IAM role to perform the action. In this case, granting the service account in the proj-sa project the Compute Storage Admin role in the proj-vm project will allow it to take snapshots of VMs running in that project.
Answers A and B are incorrect because they involve downloading and adding the private key of the service account to each VM, which is not necessary and potentially risky.
Answer D is also incorrect because setting the service account's API scope for Compute Engine to read/write only grants it permission to perform actions on resources within the same project.
https://cloud.google.com/iam/docs/creating-managing-service-accounts
https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
C. is the correct answer
Compute Storage Admin
(roles/compute.storageAdmin)
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.
Lowest-level resources where you can grant this role:
Disk
Image
Snapshot Beta
When a service account is in one project, and it accesses a resource in another project, you usually must enable the API for that resource in both projects. For example, if you have a service account in the project my-service-accounts and a Cloud SQL instance in the project my-application, you must enable the Cloud SQL API in both my-service-accounts and my-application.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jackdbd
Highly Voted 2 years, 7 months agoJelloMan
1 year, 11 months agoSaiSaiA
1 year, 7 months agokishoredeena
Highly Voted 3 years, 8 months agoCaptain1212
Most Recent 6 months agosthapit
6 months, 3 weeks agofindsidd
7 months agoBuruguduystunstugudunstuy
1 year agoleogor
1 year, 4 months agohabros
1 year, 6 months agotheBestStudent
1 year, 5 months agoRanjithK
1 year, 8 months agoAzureDP900
1 year, 8 months agoharoldbenites
1 year, 9 months agosomenick
2 years agoRealEL40
2 years, 2 months agoshawnkkk
2 years, 3 months agovishnukumartr
2 years, 3 months agoJaira1256
2 years, 3 months agocuongnd
2 years, 8 months ago