Create a Service Account to List Compute Engine Instances
Question
You will create a new Service Account that should be able to list the Compute Engine instances in the project.
You want to follow Google-recommended practices.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The correct answer is B - Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Explanation: In order to list the Compute Engine instances in a project, we need to grant the Service Account the appropriate permissions. Following Google's recommended practices, we should create a custom role with the minimum set of permissions required to perform the task.
Option A suggests creating an Instance Template and allowing the Service Account Read Only access for the Compute Engine Access Scope. While this would allow the Service Account to list instances, it is not the recommended approach as it grants more permissions than necessary.
Option C suggests giving the Service Account the role of Compute Viewer and using it for all instances. This would give the Service Account the ability to view all Compute Engine resources in the project, which may not be necessary or appropriate.
Option D suggests giving the Service Account the role of Project Viewer and using it for all instances. This would give the Service Account read-only access to all resources in the project, which may not be necessary or appropriate.
Therefore, the best approach is to create a custom role with the permission compute.instances.list, which allows the Service Account to only list Compute Engine instances in the project. This provides the necessary level of access without granting any unnecessary permissions.
