Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances.
You want to distribute these credentials to the host instances as securely as possible.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
https://cloud.google.com/compute/docs/api/how-tos/authorizationOption B is the correct answer: Use the instance's service account Application Default Credentials to authenticate to the required resources.
Explanation: Service accounts provide a way to authenticate and authorize applications running on Compute Engine virtual machines. When a Compute Engine instance is created, it is automatically given a default service account that has the necessary permissions to access Google Cloud Platform (GCP) resources. This service account can be used to authenticate applications running on the instance.
Using Application Default Credentials (ADC) is a secure way to authenticate with GCP services from Compute Engine instances because it eliminates the need to manually create and manage service account credentials. ADC allows an application to use the default service account of the Compute Engine instance, which is automatically authenticated and authorized by the Google Cloud metadata server.
To use ADC, an application running on a Compute Engine instance needs to have the appropriate scopes and permissions assigned to its service account. This can be done by creating and assigning a custom IAM role to the service account, or by assigning one of the predefined IAM roles that grants the necessary permissions. Once the permissions are assigned, the application can access GCP resources using the default service account.
Option A is incorrect because HTTP signed URLs are used for granting temporary access to specific resources, and not for authenticating service accounts on Compute Engine instances.
Option C is not the recommended approach because it involves copying the P12 file manually to the instance, which can be error-prone and pose a security risk. Additionally, the P12 file contains the service account's private key, which can be used to impersonate the service account and access resources it has been granted permission to.
Option D is not a recommended approach for distributing service account credentials because it exposes the credentials to potential security risks. The credentials should be kept secure and not stored in a version control system or included in the application package.