An application generates daily reports in a Compute Engine virtual machine (VM)
The VM is in the project corp-iot-insights.
Your team operates only in the project corp-aggregate-reports and needs a copy of the daily exports in the bucket corp-aggregate-reports-storage.
You want to configure access so that the daily reports from the VM are available in the bucket corp-aggregate-reports-storage and use as few steps as possible while following Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://cloud.google.com/billing/docs/onboarding-checklistThe recommended approach to provide access to the daily reports generated in the Compute Engine VM in the corp-iot-insights project to the corp-aggregate-reports project and store them in the corp-aggregate-reports-storage bucket is to follow the principle of least privilege and use Google-recommended practices. Therefore, the best answer is B. Grant the VM Service Account the role Storage Object Creator on corp-aggregate-reports-storage.
Explanation: Option A, which is to move both projects under the same folder, is not recommended as it may not be feasible in all cases and is not necessary to provide access to the bucket.
Option C, which is to create a Shared VPC network between both projects, is also not necessary to achieve the desired outcome and can introduce unnecessary complexity.
Option D, which is to make the bucket public and create a folder with a pseudo-randomized suffix name, is not recommended as it can compromise the security of the data stored in the bucket and violate compliance regulations.
The recommended approach is to grant the Compute Engine VM's Service Account in the corp-iot-insights project the role Storage Object Creator on the corp-aggregate-reports-storage bucket. This approach follows the principle of least privilege, where the Service Account is granted only the required permissions to access the bucket, and it is a Google-recommended practice for granting cross-project access to Cloud Storage buckets.
To grant the Service Account the Storage Object Creator role on the bucket, you can follow these steps:
Once the Service Account has been granted the necessary permissions, the Compute Engine VM in the corp-iot-insights project can use the gsutil command-line tool or the Cloud Storage API to write the daily reports to the corp-aggregate-reports-storage bucket in the corp-aggregate-reports project.