Google Cloud Associate Cloud Engineer — Question 8

You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow
Google-recommended practices. What should you do?

Answer options

• A. Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/devstorage.write_only'.
• B. Create a service account with an access scope. Use the access scope 'https://www.googleapis.com/auth/cloud-platform'.
• C. Create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.
• D. Create a service account and add it to the IAM role 'storage.objectAdmin' for that bucket.

Correct answer: C

Explanation

The correct answer is C because assigning the IAM role 'storage.objectCreator' allows the service account to write objects to the specified Cloud Storage bucket, which is the intended purpose. Option A provides limited write access, while option B grants broader permissions that may not be necessary. Option D gives too much access, allowing deletion and modification of objects, which exceeds the requirement.