Your organization runs a nightly Python ETL on a managed instance group of Compute Engine VMs. The code must read objects from a Cloud Storage bucket (gs://raw-sales) in project-data and write results to the analytics.sales BigQuery dataset in project-analytics. Security mandates that no human credentials or static keys reside on the VMs, access follows least privilege, and credentials rotate automatically without rebuilding images. Which solution best satisfies all requirements?
Store an OAuth 2.0 refresh token for a privileged developer account in Secret Manager and have the ETL retrieve it on startup to authenticate to Cloud Storage and BigQuery.
Generate a JSON key for a new service account with Storage Admin and BigQuery Admin roles, copy the key to each VM, and configure the ETL to use it via the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Create a dedicated service account, grant it Storage Object Viewer on gs://raw-sales and BigQuery DataEditor on analytics.sales, and attach that account to the VM instances so they obtain short-lived tokens from the metadata server at runtime.
Grant the Compute Engine default service account the Project Editor role on both projects so the VMs automatically inherit all necessary permissions.
Attaching a dedicated service account to each VM lets the application retrieve short-lived OAuth 2.0 tokens from the instance metadata server at runtime, so no keys are stored on disk and Google automatically rotates the credentials. Granting that service account only Storage Object Viewer on the specific bucket and BigQuery DataEditor on the specific dataset implements the principle of least privilege. The default service account with Project Editor violates least-privilege. Copying a JSON key file or using a developer's refresh token stores long-lived credentials on the VM and requires manual rotation when keys are updated, breaching the stated constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does the metadata server in Compute Engine provide short-lived tokens?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important for a service account?
Open an interactive chat with Bash
How do short-lived OAuth 2.0 tokens simplify security compared to storing static keys?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .