Exam Associate Cloud Engineer topic 1 question 134 discussion

Correct Answer is (B): Best practices In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process: Create a new service account rather than using the Compute Engine default service account. Grant IAM roles to that service account for only the resources that it needs. Configure the instance to run as that service account. Grant the instance the https://www.googleapis.com/auth/cloud-platform scope to allow full access to all Google Cloud APIs, so that the IAM permissions of the instance are completely determined by the IAM roles of the service account. Avoid granting more access than necessary and regularly check your service account permissions to make sure they are up-to-date. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices

I would choose: A. Assign appropriate access for Google services to the service account used by the Compute Engine VM. as there is no need to create a new service account.

Correct is A. look.. "minimal changes", so can't be the option B.

Create a new user-managed service account rather than using the Compute Engine default service account, and grant IAM roles to that service account for only the resources and operations that it needs. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices

I think the "minimal changes" hint here would make the first option the more suitable one since it doesn't involve creating a new service account.

Is not possible to add the service accounts to the application

B is the answer

I'd strongly lean towards Option B (Create a service account with appropriate access for Google services and configure the application to use this account) as the most likely correct answer. Google's exams emphasize secure design principles. The principle of least privilege is a core tenet, and custom service accounts embody this. Option B aligns precisely with the best practice for production environments and demonstrates a clear understanding of IAM concepts. While Option A could be acceptable with careful permission adjustments, exams often favor the solution most demonstrably secure and aligned with recommended practice out of the box. I believe option A might be a trap. Default service accounts can have varying levels of access. The exam might purposely use this ambiguity to test your knowledge of security principles. Focusing on the step of creating a custom service account signals your understanding of the correct IAM workflow.

When you create a new Compute Engine VM, it is assigned a default service account, but this default service account is not unique to each VM. Instead, it's a project-wide default service account. 1. Project-Wide Default Service Account: • The default service account is typically named something like [email protected]. It is the same across all VMs in the project that use the default service account. • Permissions granted to this default service account apply to all VMs using this account, which could lead to potential security risks if not managed carefully, especially in projects with multiple VMs having different access requirements.

When you run an application on a Compute Engine VM, the VM can use a service account to interact with Google Cloud services. This service account is attached to the VM and can be used to authenticate your application without needing to explicitly manage credentials. • B. Configure the application to use a new service account: While this is a viable approach, it requires more changes to your application to explicitly use a new service account. Using the VM's service account with ADC requires fewer changes.

B as option A is all about using default service account whereas option B is to make new custom service account Google recommended .

By creating a service account, you can assign appropriate permissions for Google services to the service account and configure your application to use it. This way, your application can access Google services securely without having to store any user credentials or access tokens on the VM. source1:https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances source2: https://www.exam-answer.com/migrate-application-google-cloud-compute-engine-seo-friendly

I will go with B, by creating new SA and not by A , as SA used by the Compute Engine VM is by first choice a default SA and not user managed SA.

A is the right answer , as after providing the appropriate access to the service account compute Engine

The correct answer is "B". In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process: Create a new service account rather than using the Compute Engine default service account. Grant IAM roles to that service account for only the resources that it needs. Configure the instance to run as that service account. Grant the instance the https://www.googleapis.com/auth/cloud-platform scope to allow full access to all Google Cloud APIs, so that the IAM permissions of the instance are completely determined by the IAM roles of the service account. Avoid granting more access than necessary and regularly check your service account permissions to make sure they are up-to-date.

B "Many of these Google Cloud services also provide a default service account. Using the default service account is not recommended, because by default the default service account is highly privileged, which violates the principle of least privilege." https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa

Based on the documentation here : https://cloud.google.com/docs/authentication/application-default-credentials looks like the correct answer is "A". This is exactly why ADC has been created for. You develop your code on your laptop and you using in your APP code ADC as a way to authorize to GCP - then depends on where you would like to test your code on - you simply execute `gcloud auth application-default login` in your system to store right credentials in your ADC on your laptop. When you copy your code into PROD VM, your app without any changes will scan below locations in order to find credentials : 1. GOOGLE_APPLICATION_CREDENTIALS environment variable 2. User credentials set up by using the Google Cloud CLI 3. The attached service account, returned by the metadata server As you can see above, your app will not find any credentials in 1. and 2. location but it will go to location 3, which is the credential for Service Account assigned to your VM. Minimal effort here means, you don't need to change your APP to get right credentials to GCP services.