Google Cloud Professional Cloud Developer — Question 235

You have two Google Cloud projects, named Project A and Project B. You need to create a Cloud Function in Project A that saves the output in a Cloud Storage bucket in Project B. You want to follow the principle of least privilege. What should you do?

Answer options

• A. 1. Create a Google service account in Project B. 2. Deploy the Cloud Function with the service account in Project A. 3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
• B. 1. Create a Google service account in Project A 2. Deploy the Cloud Function with the service account in Project A. 3. Assign this service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
• C. 1. Determine the default App Engine service account ([email protected]) in Project A. 2. Deploy the Cloud Function with the default App Engine service account in Project A. 3. Assign the default App Engine service account the roles/storage.objectCreator role on the storage bucket residing in Project B.
• D. 1. Determine the default App Engine service account ([email protected]) in Project B. 2. Deploy the Cloud Function with the default App Engine service account in Project A. 3. Assign the default App Engine service account the roles/storage.objectCreator role on the storage bucket residing in Project B.

Correct answer: B

Explanation

The correct answer is B because it involves creating a service account in the same project where the Cloud Function is deployed (Project A) and granting it the necessary permissions to the storage bucket in Project B. Options A, C, and D do not adhere to the least privilege principle or misconfigure the service accounts across the projects.