Your company is deploying a custom analytics application on a Compute Engine virtual machine. The software must read objects from a private Cloud Storage bucket and write usage metrics to Cloud Monitoring. Interactive logins on the VM are disabled, so the application must authenticate to Google Cloud APIs without any end-user credentials. Which identity should you configure so the application can obtain short-lived access tokens automatically while following Google-recommended practices for workloads?
Add the VM to a Google Group that has the Storage Object Viewer and Monitoring Metric Writer roles.
Create a user-managed service account, grant it the required IAM roles, and attach it to the VM instance.
Assign the project's Owner basic role to the VM through custom instance metadata key-value pairs.
Generate an OAuth 2.0 client ID and secret, then store them in the VM so the application can request refresh tokens.
A user-managed service account is a special, non-human identity intended for applications or compute workloads. When the service account is attached to a Compute Engine VM, the guest environment can automatically retrieve short-lived OAuth 2.0 tokens from the metadata server and use them to call Google Cloud APIs such as Cloud Storage and Cloud Monitoring. Google Groups and OAuth client IDs represent human or web clients, not workload identities, and they cannot be attached to a VM. Granting the basic Owner role to the VM's metadata is not possible and would violate least-privilege principles.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a user-managed service account?
Open an interactive chat with Bash
Why can't an OAuth 2.0 client ID and secret be used for Compute Engine VM authentication?
Open an interactive chat with Bash
What is the principle of least privilege, and how does it apply to IAM roles?
Open an interactive chat with Bash
What is a user-managed service account?
Open an interactive chat with Bash
How does the metadata server provide short-lived access tokens?
Open an interactive chat with Bash
What are IAM roles and why are they important?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .