Exam Associate Cloud Engineer topic 1 question 133 discussion

Correct Answer is (B): Predefined roles The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Storage and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific buckets. Storage Object Creator (roles/storage.objectCreator) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles

i think is B

Its a bit tricky with the projects. They only specify that the VM must be able to create objects on the bucket. No mention of the people on the aggregate-reports group being able to access it

Guys ..shared VPC is the key to connect projects. Enjoy

B is the correct as it gives the service account required access

Correct Answer is B

Just take below sentence from the question which is added just for confusion :) "Your team operates only in the project corp-aggregate-reports"

Correct Answer is (B)

If that is the default service Account of the Compute Instance, then we should do nothing. As the role is already included. Either way, we should do nothing as the role is already covered. Also we shouldn´t modify Compute instance Service account. But again, I will assume it is not the default.

B is right

b it is

You should be able to add a service account to another project: Create the first service account in project A in the Cloud Console. Activate it using gcloud auth activate-service-account. In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role. Run gcloud commands with --project set to project B. They should succeed (I just manually verified that this will work). Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications. https://stackoverflow.com/a/35558464

It's B since bucket names are globally unique so it's enough to refer to them when you've proper role assigned

B, assign access is less step

From stackoverflow: Bucket names are globally unique, so your app will refer to an existing bucket in another project in the same way that it refers to buckets in its own project. Hence the shared VPC is not required to access the bucket. Just the IAM role.

B is correct

B - Grant the VM Service Account the role Storage Object Creator on corp-aggregate-reports-storage.