Google Cloud Professional Cloud Architect — Question 93

Your company pushes batches of sensitive transaction data from its application server VMs to Cloud Pub/Sub for processing and storage. What is the Google- recommended way for your application to authenticate to the required Google Cloud services?

Answer options

• A. Ensure that VM service accounts are granted the appropriate Cloud Pub/Sub IAM roles.
• B. Ensure that VM service accounts do not have access to Cloud Pub/Sub, and use VM access scopes to grant the appropriate Cloud Pub/Sub IAM roles.
• C. Generate an OAuth2 access token for accessing Cloud Pub/Sub, encrypt it, and store it in Cloud Storage for access from each VM.
• D. Create a gateway to Cloud Pub/Sub using a Cloud Function, and grant the Cloud Function service account the appropriate Cloud Pub/Sub IAM roles.

Correct answer: A

Explanation

The correct answer is A because granting the appropriate IAM roles to VM service accounts allows them to securely authenticate and interact with Cloud Pub/Sub directly. Option B incorrectly suggests restricting access to Cloud Pub/Sub, which would hinder the application's ability to send data. Option C introduces unnecessary complexity by requiring token generation and storage, while option D adds an additional layer with a Cloud Function that is not needed for direct access.