You are writing a Compute Engine hosted application in project A that needs to securely authenticate to a Cloud Pub/Sub topic in project B. What should you do?
A.
Configure the instances with a service account owned by project B. Add the service account as a Cloud Pub/Sub publisher to project A.
B.
Configure the instances with a service account owned by project A. Add the service account as a publisher on the topic.
C.
Configure Application Default Credentials to use the private key of a service account owned by project B. Add the service account as a Cloud Pub/Sub publisher to project A.
D.
Configure Application Default Credentials to use the private key of a service account owned by project A. Add the service account as a publisher on the topic
Option B is the correct answer because it involves creating a service account in project A and adding it as a publisher to the Cloud Pub/Sub topic in project B. This allows the Compute Engine instances in project A to authenticate to the Cloud Pub/Sub topic in project B using the service account's credentials. The other options do not involve creating a service account in project A or adding it as a publisher to the Cloud Pub/Sub topic in project B, so they are not valid solutions.
Option C is incorrect because it does not properly authenticate to the Cloud Pub/Sub topic in project B. In this option, Application Default Credentials are being used to authenticate to the topic, but the private key of a service account owned by project B is being used. While the service account may have the necessary permissions to publish messages to the topic, using Application Default Credentials with a private key is not a secure way to authenticate to Cloud Pub/Sub.
Option D is incorrect because it does not authenticate to the Cloud Pub/Sub topic in project B. In this option, Application Default Credentials are being used to authenticate to the topic, but the private key of a service account owned by project A is being used. This service account does not have the necessary permissions to publish messages to the topic in project B.
Option A is incorrect because it is not a secure way to authenticate to a Cloud Pub/Sub topic in project B. In this option, the instances in project A are using a service account owned by project B, but the service account is not added as a publisher on the topic. This means that the service account does not have the necessary permissions to publish messages to the topic.
Application Default Credentials would work only if the resource/project has already been set up with the GOOGLE_APPLICATION_CREDENTIALS or the service account key for that project.
So, if you were to use the Application Default Credentials then you are assuming that any one of the above two scenarios has already been met. And you can not answer the question based on assumptions!
https://cloud.google.com/pubsub/docs/access-control:
"For example, suppose a service account in Cloud Project A wants to publish messages to a topic in Cloud Project B. You could accomplish this by granting the service account Edit permission in Cloud Project B"
B is the answer
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
donchick
Highly Voted 3 years, 4 months ago__rajan__
Most Recent 7 months, 1 week agoomermahgoub
1 year, 3 months agoomermahgoub
1 year, 3 months agoomermahgoub
1 year, 3 months agoomermahgoub
1 year, 3 months agotomato123
1 year, 8 months agoJuanitoNN
2 years, 4 months agoakshaychavan7
1 year, 8 months agoakshaychavan7
1 year, 8 months agosyu31svc
2 years, 9 months ago