Google Cloud Professional Cloud Developer — Question 251

Your team is creating a serverless web application on Cloud Run. The application needs to access images stored in a private Cloud Storage bucket. You want to give the application Identity and Access Management (IAM) permission to access the images in the bucket, while also securing the services using Google-recommended best practices. What should you do?

Answer options

• A. Enforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.
• B. Enforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.
• C. Enforce signed URLs for the desired bucket. Create and update the Cloud Run service to use a user-managed service account. Grant the Storage Object Viewer IAM role on the bucket to the service account.
• D. Enforce public access prevention for the desired bucket. Create and update the Cloud Run service to use a user-managed service account. Grant the Storage Object Viewer IAM role on the bucket to the service account.

Correct answer: D

Explanation

The correct answer is D because it combines public access prevention with a user-managed service account, which enhances security by limiting access while still allowing the Cloud Run application to access the bucket. Option A and C involve signed URLs, which are less secure for managing access to a private bucket. Option B also uses the default service account, which does not adhere to the best practice of using a user-managed service account.