Your team deploys a Compute Engine instance that pulls reference data from the Cloud Storage bucket gs://finance-data and then writes structured application logs to Cloud Logging. The instance must perform no other Google Cloud operations. Following the principle of least privilege, how should you configure IAM for the instance?
Create a user-managed service account, attach it to the instance, grant the Storage Object Viewer role on gs://finance-data and the Logging Log Writer role on the project.
Use the Compute Engine default service account and grant it the Editor role on the project.
Create a user-managed service account, attach it to the instance, and grant it the Storage Admin role on the bucket.
Allow the instance's service account to impersonate your developer account, which already has Owner on the project.
A least-privileged design creates a dedicated identity for the workload and grants only the specific permissions it needs. Attaching a user-managed service account to the VM and giving it the Storage Object Viewer role on the bucket lets the instance read objects, while the Logging Log Writer role on the project lets it write application logs. No broader project-level roles are required. Using the default service account with the Editor role, impersonating a human Owner account, or granting the Storage Admin role would all provide unnecessary permissions that violate the principle of least privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a user-managed service account in Google Cloud?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
How do IAM roles like Storage Object Viewer and Logging Log Writer work?
Open an interactive chat with Bash
What is a service account in Google Cloud?
Open an interactive chat with Bash
What is the principle of least privilege?
Open an interactive chat with Bash
What is the difference between the Storage Object Viewer role and the Storage Admin role?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .