ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Developer All Questions

View all questions & answers for the Professional Cloud Developer exam
Go to Exam

Exam Professional Cloud Developer topic 1 question 243 discussion

Actual exam question from Google's Professional Cloud Developer
Question #: 243
Topic #: 1
[All Professional Cloud Developer Questions]

You have two Google Cloud projects, named Project A and Project B. You need to create a Cloud Function in Project A that saves the output in a Cloud Storage bucket in Project B. You want to follow the principle of least privilege. What should you do?

  • A. 1. Create a Google service account in Project B.
    2. Deploy the Cloud Function with the service account in Project A.
    3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
  • B. 1. Create a Google service account in Project A
    2. Deploy the Cloud Function with the service account in Project A.
    3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
  • C. 1. Determine the default App Engine service account ([email protected]) in Project A.
    2. Deploy the Cloud Function with the default App Engine service account in Project A.
    3. Assign the default App Engine service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
  • D. 1. Determine the default App Engine service account ([email protected]) in Project B.
    2. Deploy the Cloud Function with the default App Engine service account in Project A.
    3. Assign the default App Engine service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by TNT87 at Feb. 1, 2023, 7:31 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
alpha_canary
6 months, 3 weeks ago
Selected Answer: B
quite straightforward
upvoted 1 times
...
__rajan__
1 year, 1 month ago
Selected Answer: B
B is correct.
upvoted 1 times
...
__rajan__
1 year, 1 month ago
Selected Answer: B
B is correct.
upvoted 1 times
...
purushi
1 year, 2 months ago
Selected Answer: B
B is correct. Simple and straight forward. Create SA in Project A, Assign SA the role of object creator to push objects to Cloud bucket in Project B.
upvoted 1 times
...
Pime13
1 year, 7 months ago
took my exam yesterday (01-03-2023) and this question was there
upvoted 4 times
...
Pime13
1 year, 8 months ago
Selected Answer: B
it's B. https://articles.wesionary.team/multi-project-account-service-account-in-gcp-ba8f8821347e
upvoted 2 times
...
mrvergara
1 year, 8 months ago
Selected Answer: B
A is not correct because you cannot run a Cloud Function with a service account that is not in the same Google Cloud project. B is correct because it follows the least privilege principle and for a Cloud Function, the service account must be created in the same project where the function is getting executed.
upvoted 3 times
...
anukulk
1 year, 8 months ago
option B is right. We have permissions to object creation in project for the SA created in proejct A. https://www.youtube.com/watch?v=ctACCk80H-w
upvoted 2 times
...
mrvergara
1 year, 8 months ago
Selected Answer: A
In option B, a service account is created in Project A, but this service account would have access to all the resources within Project A, which is more than is necessary for the task of saving output to a storage bucket in Project B. Options C and D use the default App Engine service account, which would have more permissions than necessary, as it would have access to all App Engine resources within Project A or B, rather than just the permissions needed for the task of saving output to a storage bucket in Project B.
upvoted 2 times
TNT87
1 year, 8 months ago
No it cant be A, check the link provided below please. it cant be A, there is no way
upvoted 1 times
mrvergara
1 year, 8 months ago
https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application In this guide, it explains the best practice for providing authentication credentials to your application. By creating a separate Google service account in the project that owns the resource you want to access (in this case, Project B), and then using that service account to perform actions on the resource (writing to the Cloud Storage bucket in Project B), you are following the principle of least privilege. This means that you are granting the minimum permissions necessary to perform the desired action.
upvoted 1 times
mrvergara
1 year, 8 months ago
It is the B option
upvoted 1 times
...
TNT87
1 year, 8 months ago
Anyway i passed my exam last week
upvoted 1 times
mrvergara
1 year, 8 months ago
Congrats, this time you are right. The answer is option B
upvoted 1 times
...
...
...
...
...
TNT87
1 year, 9 months ago
Selected Answer: C
https://cloud.google.com/functions/docs/concepts/iam#runtime_service_accounts
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago