You will have several applications running on different Compute Engine instances in the same project. You want to specify at a more granular level the service account each instance uses when calling Google Cloud APIs. What should you do?
A.
When creating the instances, specify a Service Account for each instance.
B.
When creating the instances, assign the name of each Service Account as instance metadata.
C.
After starting the instances, use gcloud compute instances update to specify a Service Account for each instance.
D.
After starting the instances, use gcloud compute instances update to assign the name of the relevant Service Account as instance metadata.
A, when you create an instance using the gcloud command-line tool or the Google Cloud Console, you can specify which service account the instance uses when calling Google Cloud APIs - https://cloud.google.com/compute/docs/access/service-accounts#associating_a_service_account_to_an_instance
A. When creating the instances, specify a Service Account for each instance.
To specify a more granular level of service account for each Compute Engine instance, you should specify a Service Account for each instance when you create it. This can be done through the Compute Engine API or the Cloud Console. By doing so, the specified Service Account will be used when calling Google Cloud APIs from that instance.
Option B, assigning the name of each Service Account as instance metadata, is not the best solution as metadata can be accessed by anyone with access to the instance, which could potentially lead to security issues.
Options C and D, using gcloud compute instances update to specify a Service Account or assign the name of a Service Account as instance metadata after starting the instances, can also be done, but it is a less efficient approach as it requires additional steps and can lead to human error if not properly documented.
A: you can define which GCP service account is associated with a Compute Engine instance when creating one. It is still possible to change the service account later.
Link to the GCP docs: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using
Even if they would be running, I don't think it's possible to change the service account with the "update" command. You need to use "set-service-account" appropriately: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
GoCloud
Highly Voted 2 years, 10 months agoJieHeng
Highly Voted 2 years, 8 months agoCaptain1212
Most Recent 5 months, 4 weeks agoBobbybash
1 year agoVarunGo
12 months agoryumada
1 year, 6 months agoRoro_Brother
1 year, 8 months agoAzureDP900
1 year, 8 months agosomenick
1 year, 11 months agoMajkl93
2 years agoRaz0r
2 years, 1 month agoliyux21
2 years, 4 months agotechabhi2_0
2 years, 5 months agotechabhi2_0
2 years, 5 months agokaes
8 months, 3 weeks agoAD_0525
2 years, 8 months agonorrec9
2 years, 10 months agoBiju1
2 years, 10 months ago