A startup is migrating a data-processing script to a Linux VM on Google Cloud. The script must upload result files to a Cloud Storage bucket in the same project. The security team requires that no long-lived user credentials or other static secrets be stored on the instance. Which approach follows Google-recommended practices for authenticating the script to Cloud Storage?
Create a new user-managed service account, grant it the Storage Object Creator role on the bucket, and configure the VM to run as that service account.
Enable Cloud Shell, copy its temporary access token to the VM at runtime, and reuse the token for the script.
Create an API key in the Google Cloud console and set it as an environment variable on the VM for the script to call Cloud Storage.
Generate a JSON key file for a Google Account, copy the key to the VM, and have the script use it to obtain an access token.
Running the VM with a dedicated, user-managed service account provides the workload with its own identity. When the service account is attached to the instance, the metadata server automatically supplies short-lived OAuth2 tokens that the script can use, so no keys or passwords are stored on the VM. Granting the service account only the Storage Object Creator role on the target bucket enforces the principle of least privilege. The other options either rely on long-lived credentials (JSON key, API key), reuse a human user's token, or are not intended for server-to-server authentication, so they violate the security team's constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does Google recommend using a user-managed service account for authentication?
Open an interactive chat with Bash
How does the metadata server provide short-lived tokens to the VM?
Open an interactive chat with Bash
What is the principle of least privilege and why is it important?
Open an interactive chat with Bash
What is a user-managed service account in Google Cloud?
Open an interactive chat with Bash
How does the metadata server provide credentials to a VM?
Open an interactive chat with Bash
What is the principle of least privilege and how does it apply to service accounts?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .