To provide temporary write access to a Cloud Storage bucket with the minimum permissions

necessary, you should:

Identify the Compute Engine instance’s default service account: Each Compute Engine instance has a

default service account that is used to interact with other Google Cloud services.

Assign the storage.objectCreator role: This predefined IAM role grants permissions to create objects

in a Cloud Storage bucket, which is sufficient for temporary write access. It does not grant

permissions to read or delete objects, thus adhering to the principle of least privilege.

Avoid using full permissions or long-lived keys: Options A and C suggest using broader permissions

than necessary or embedding long-lived keys, which could pose a security risk if compromised.

Service account impersonation (Option D) is not necessary for this task and would be more

appropriate for scenarios where you need to assume a different identity with different permissions.

Reference::

Google Cloud documentation on IAM roles for Cloud Storage, which lists the storage.objectCreator

role as providing permissions to create objects without granting full administrative access to the

bucket1.

Best practices for access control in Cloud Storage recommend using the least privilege necessary and

avoiding the use of long-lived service account keys2.