Automation with Least Privilege: Retrieve Files from Cloud Storage
Question
You are adding steps to a working automation that uses a service account to authenticate.
You need to drive the automation the ability to retrieve files from a Cloud Storage bucket.
Your organization requires using the least privilege possible.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
https://cloud.google.com/compute/docs/access/iamThe best option to provide the automation with the ability to retrieve files from a Cloud Storage bucket while using the least privilege possible is to grant the "read-only" privilege to the service account for the Cloud Storage bucket. Therefore, option C is the correct answer.
Option A, "Grant the compute.instanceAdmin to your user account," is not the best choice because it provides more access than needed. The compute.instanceAdmin role grants users the ability to manage Compute Engine instances, which is not necessary to retrieve files from a Cloud Storage bucket.
Option B, "Grant the iam.serviceAccountUser to your user account," grants a user the ability to impersonate a service account to access resources. However, it does not provide direct access to Cloud Storage buckets. It also grants more privileges than required.
Option D, "Grant the cloud-platform privilege to the service account for the Cloud Storage bucket," grants the service account access to all Google Cloud Platform services, which is not the least privilege required to retrieve files from a Cloud Storage bucket.
Therefore, the best option is to grant the service account the "read-only" privilege to the Cloud Storage bucket, which provides only the necessary permissions to retrieve files from the bucket without granting unnecessary access to other resources.
