Exam Associate Cloud Engineer topic 1 question 152 discussion

A - https://cloud.google.com/iap/docs/external-identities

full of confusions for any reader.... You guys all say A, B, C & D but which one is correct ?

People voting for D assuming the Google account is the only mandatory requirement to configure IAP is not true , we can use microsoft, facebook and custom email as well

A is incorrect because the operations partner does not have a Google account. Activating and enabling Cloud IAP (Identity-Aware Proxy) for the Compute Engine instances would only allow access to users with Google Accounts. In this case, the third-party service provider does not use Google Accounts, so this option would not enable their access.

IAP controls access to your applications and resources. It leverages user identity and the context of a request to determine if a user should be allowed access. IAP is a building block toward BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN. By default, IAP uses Google identities and IAM. By leveraging Identity Platform instead, you can authenticate users with a wide range of external identity providers, such as: Email/password OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.) SAML OIDC Phone number Custom Anonymous This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical.

Cloud IAP requires users to authenticate with a Google Account, which the operations partner does not use. So D, SSH key authentication is a standard and secure method for granting access to Linux systems. This avoids the need for creating Google Accounts and provides direct access to the instances.

Using SSH keys is an effective and secure way to provide access to your instances without requiring Google Accounts, aligning with the needs of your new operations partner.

D. Ask the operations partner to generate SSH key pairs, and add the public keys to the VM instances. Explanation: Direct SSH access: This method provides direct SSH access to the instances, allowing the operations partner to manage the installed tooling efficiently. No Google account required: The operations partner doesn't need a Google account, as SSH keys are the authentication mechanism. Security: While you'll need to manage SSH keys carefully, this method offers a secure way to grant access to specific users. Why not other options: A. Enable Cloud IAP: Cloud IAP is primarily for web applications, not SSH access. B. Firewall rule: While this could technically work, it's less secure than SSH keys and more complex to manage. C. Cloud VPN: Setting up a VPN is overkill for this scenario and introduces additional complexity. By choosing option D, you provide the operations partner with the necessary access while maintaining security.

If you go with answer A, explain please what credentials will be used to authentication?

"new operations partner that does not use Google Accounts." All answering A, but the question does not say that the new partner is going to use Google Accounts now. So it is D. Is not a good idea to enter with ssh key pairs, but there is not other option if the new partner has to enter vms and does not have Google accounts.

A is clean: https://cloud.google.com/iap/docs/concepts-overview#when_to_use_iap

A seems more corrrect, as to provide the access

Answer is A. Although to enable IAP, you do need to create a firewall rule on tcp 22. But if this question wasn't multiple choice then A is correct. "IAP is a building block toward BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN." - So C is not required when A can suffice.

https://cloud.google.com/iap/docs/concepts-overview IAP is only for google accounts and applies to access to AppEngine, HTTP(s) LB. It explicitly doesn't protect VMs.

Please watch this video. https://www.youtube.com/watch?v=jZdXyWQuIW0

B is the straight forward answer to allow the partner to access via SSH without a Google account. For those suggesting A, carefully read https://cloud.google.com/iap/docs/external-identities and you'll notice that external identity isn't available from IAP out of the box and requires Identity Platform.

Question ask about granting access to new operations partner and that can be done by first option only.