Your company runs a group of Compute Engine instances that execute nightly analytics jobs containing protected health information (PHI). The jobs must read reference files from an encrypted Cloud Storage bucket and write results to a BigQuery dataset, both located in the production project. Compliance forbids embedding any long-lived user credentials in the VM images, and the security team requires least-privilege access with minimal operational effort for credential rotation. Which design best satisfies these constraints?
Store a Cloud Storage HMAC key in Secret Manager; have the application fetch the key at startup to sign requests to the bucket and to authenticate to BigQuery with signed URLs.
Grant the default Compute Engine service account the Project Editor role and let the application use the default credentials automatically provided by the metadata server.
Create a dedicated service account (for example, sa-analytics-vm). Grant it Storage Object Viewer on the specific bucket and BigQuery Data Editor on the target dataset, attach it as the runtime service account for the instances, and do not generate any user-managed keys.
Generate individual service-account keys for each engineer, embed the JSON key files in the VM startup script, and grant BigQuery Admin and Storage Admin roles at the project level. Rotate the keys quarterly.
Attaching a dedicated service account to the Compute Engine instances and granting it only the permissions required for the two target resources meets the principle of least privilege. Because the service account is bound to the VM, the workload can obtain short-lived OAuth 2.0 tokens from the instance metadata server at run time; no user credentials or downloadable keys need to be stored on disk, so key rotation happens automatically. Granting broad project-level roles or distributing user-managed keys would violate least-privilege goals and introduce operational overhead. Using HMAC or signed URLs still requires managing long-lived secrets and does not cover BigQuery access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service account in Google Cloud?
Open an interactive chat with Bash
How does the metadata server provide OAuth 2.0 tokens to VM instances?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important?
Open an interactive chat with Bash
What is a service account in GCP?
Open an interactive chat with Bash
How does the Metadata server work in Compute Engine?
Open an interactive chat with Bash
What is the principle of least privilege in access control?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .