Google Cloud | Using Service Accounts to Take VM Snapshots across Projects

Using Service Accounts to Take VM Snapshots across Projects

Prev Question Next Question

Question

You have one project called proj-sa where you manage all your service accounts.

You want to be able to use a service account from this project to take snapshots of VMs running in another project called proj-vm.

What should you do?

Answers

A. Download the private key from the service account, and add it to each VMs custom metadata.

B. Download the private key from the service account, and add the private key to each VM`s SSH keys.

C. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

D. When creating the VMs, set the service account`s API scope for Compute Engine to read/write.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The correct answer to this question is C. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

Explanation:

In Google Cloud Platform (GCP), a service account is a special type of account that is used by applications and services to access GCP resources programmatically. Service accounts are used for authentication and authorization purposes. They are not associated with a specific user or email address, but instead, they are associated with a set of credentials (private key) that are used to authenticate the application or service.

To take snapshots of VMs running in another project called proj-vm, you need to grant the service account in proj-sa the necessary permissions to access resources in proj-vm.

Option A and B are incorrect because downloading the private key from the service account and adding it to VM's custom metadata or SSH keys does not grant the service account any permissions in the proj-vm project.

Option D is incorrect because setting the service account's API scope for Compute Engine to read/write only controls the actions that can be performed by the service account on Compute Engine resources. It does not grant the service account any permissions to access resources in other projects.

Option C is the correct answer because granting the service account the IAM Role of Compute Storage Admin in the project called proj-vm will give the service account permissions to manage snapshots of the VMs in proj-vm. This role includes the necessary permissions to create, delete, and manage snapshots of persistent disks in Compute Engine. By granting this role to the service account in proj-sa, you are allowing the service account to access and manage resources in proj-vm.

To grant the IAM Role of Compute Storage Admin to the service account in proj-sa, you can follow these steps:

Go to the IAM & Admin page in the proj-vm project.
Click on the "Add" button to add a new member to the project.
Enter the email address of the service account from proj-sa that you want to grant permissions to.
Select the "Compute Storage Admin" role from the "Select a role" dropdown menu.
Click on the "Save" button to save the changes.

Once you have completed these steps, the service account in proj-sa will have the necessary permissions to take snapshots of VMs running in proj-vm.

Prev Question Next Question