Google Cloud Professional Cloud Security Engineer — Question 197

A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket. You want the batch job to use the minimum permissions necessary to complete the task. What should you do?

Answer options

• A. Create a service account with full Cloud Storage administrator permissions. Assign the service account to the Compute Engine instance.
• B. Create a service account and embed a long-lived service account key file that has write permissions specified directly in the batch job script.
• C. Create a service account with the storage.objectCreator role. Use service account impersonation in the batch job's code.
• D. Grant the predefined storage.objectCreator role to the Compute Engine instance's default service account.

Correct answer: C

Explanation

The correct answer, C, allows the batch job to have the minimal necessary permissions by using the storage.objectCreator role along with service account impersonation. This ensures that the job can write to the Cloud Storage bucket without granting excessive permissions, unlike option A which provides full admin rights, or option B which involves a long-lived key that could pose security risks. Option D grants permissions to the default service account, but using impersonation with a dedicated service account is a more secure practice.