A healthcare company stores sensitive invoices in a Cloud Storage bucket that has both Uniform bucket-level access and Public access prevention enforced. An external auditor needs read-only access to a single CSV object for the next 7 days. The company does not want to create or manage an IAM identity for the auditor, and the bucket's security settings must remain unchanged. Which approach should you take?
Add the allUsers principal to the bucket IAM policy with the Storage Object Viewer role, then remove the binding after 7 days.
Generate a Cloud Storage V4 signed URL for the CSV object that expires in 7 days using a service account that has storage.objects.get permission, and send the URL to the auditor.
Temporarily disable Uniform bucket-level access, add an object-level READ ACL for the auditor's email address, and re-enable Uniform bucket-level access after 7 days.
Change the bucket's Public access prevention setting to "inherited" and rely on the obscurity of the object's name for security.
Generating a V4 signed URL meets every requirement. A signed URL embeds a cryptographic signature created by a service account that already has storage.objects.get permission. Anyone who possesses the URL can download only the specified object, and the URL automatically expires after the duration you set (up to 7 days with V4). Signed URLs work even when Uniform bucket-level access is enabled because they do not rely on ACLs, and they are allowed under Public access prevention because access is authenticated by the signature. Granting allUsers IAM access would violate Public access prevention, object ACLs cannot be used while Uniform bucket-level access is on, and making the bucket public is disallowed and insecure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a V4 signed URL?
Open an interactive chat with Bash
How does Uniform bucket-level access affect ACLs?
Open an interactive chat with Bash
What is Public access prevention in Google Cloud Storage?
Open an interactive chat with Bash
What is a V4 signed URL in Cloud Storage?
Open an interactive chat with Bash
How does Public access prevention work in Cloud Storage?
Open an interactive chat with Bash
What are the benefits of Uniform bucket-level access in Cloud Storage?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Ensuring successful operation of a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .