You have an application running on Google Cloud that needs to read data from a Cloud Storage bucket but should not modify or delete any data. Which service account role should you assign to the application?
Think about the principle of least privilege: only allow what is necessary.
The roles/storage.objectViewer role allows read-only access to objects in Cloud Storage buckets. It fits the requirement to read data without modifying or deleting it. Other roles provide broader permissions than needed.
You want to securely provide your application running outside Google Cloud access to a Google Cloud API using a service account. Which method is the best practice for managing the service account key?
Think about how to keep secrets safe and avoid exposing keys unnecessarily.
Storing the service account key in a secure secret manager and loading it at runtime is best practice. It avoids hardcoding secrets and reduces risk of exposure. Downloading and embedding keys or sharing via email are insecure. Creating new keys frequently is inefficient and can cause key sprawl.
You have a multi-service application on Google Cloud. Service A needs to write logs to Cloud Logging. Service B needs to read messages from a Pub/Sub subscription. Both services use separate service accounts. Which is the best way to assign permissions?
Remember to give only the permissions each service needs.
Assigning roles/logging.logWriter to Service A and roles/pubsub.subscriber to Service B follows the principle of least privilege. Using broad roles like editor or owner grants unnecessary permissions and increases security risk. Admin roles provide more permissions than needed.
You suspect a service account key has been compromised. What is the immediate best action to secure your Google Cloud environment?
Think about how to stop unauthorized access quickly while minimizing disruption.
Rotating the compromised key by deleting it and creating a new one immediately stops unauthorized use of the old key. Deleting the entire service account can cause service disruption. Disabling the account may not revoke keys immediately. Service accounts do not have passwords.
An application running on Google Compute Engine uses a service account to access Google Cloud APIs. The application obtains an access token from the metadata server. What happens when the access token expires?
Think about how Google Cloud manages tokens for VM service accounts.
The metadata server automatically refreshes access tokens for service accounts attached to Compute Engine VMs. Applications can request new tokens anytime without needing to manage credentials manually. Tokens do expire, but the refresh is seamless. Restarting the VM is not required.