Q: 10
A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket.
You want the batch job to use the minimum permissions necessary to complete the task. What
should you do?
Options
Discussion
Makes sense to pick B here since storage.objectCreator lets the batch job write without any extra permissions. Admin access or key files add risk they don't need. Pretty sure that's what GCP recommends, correct me if I'm missing something.
B . Default service account plus storage.objectCreator gives just enough rights for writing without risk of excess permissions, matching least privilege. Not totally sure if D is needed for tight scoped sessions, but here B fits the question best. Agree?
Ugh, these questions always overcomplicate it. B is the way to go, just grant objectCreator to the default service account-clean and minimal permissions. Not super fancy but it's what Google pushes in their docs if you don't need timed expiry.
Maybe D here. Impersonation feels like a secure way to grant temporary permissions just for the job, avoiding lingering access. I know B matches least privilege, but I think D addresses the 'temporary' part better-correct me if I'm missing something.
Probably B
B
B , granting storage.objectCreator to the default service account gives just enough access for the batch job to write to the bucket, without overprovisioning. Full admin rights (A) is way too much and long-lived keys in scripts (C) are risky security-wise. Impersonation (D) isn't really needed if minimal permissions is the main ask. I think B fits best, but could see some arguing for D if "temporary" was more explicit!
Seen similar logic in the official guide-storage.objectCreator only allows writing, so B matches least privilege best. Not totally sure if D applies since impersonation is more about session creds, but B is what most practice exams focus on.
I think B because storage.objectCreator only grants write access, so it sticks to the least privilege principle. No need for admin or key files here and this matches what I remember from official docs. Pretty sure that's the intent but open to disagreement.
B
Be respectful. No spam.
