Google Cloud Professional Cloud Developer — Question 162

You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access to your application following the principle of least privilege. What should you do?

Answer options

• A. Create a user-managed service account with a custom Identity and Access Management (IAM) role.
• B. Create a user-managed service account with the Storage Admin Identity and Access Management (IAM) role.
• C. Create a user-managed service account with the Project Editor Identity and Access Management (IAM) role.
• D. Use the default service account linked to the Cloud Run revision in production.

Correct answer: A

Explanation

Creating a user-managed service account with a custom IAM role allows you to specify only the permissions necessary for your application, thus adhering to the principle of least privilege. The Storage Admin role provides excessive permissions beyond what is required, while the Project Editor role grants broader access than needed. Using the default service account may not align with least privilege principles, as it typically has more permissions than strictly necessary.