You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket.
You want to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
To enable a set of Compute Engine instances to write data into a particular Cloud Storage bucket, we need to set up the appropriate permissions. Here are the different options that we have, along with their explanations:
A. Create a service account with an access scope. Use the access scope https://www.googleapis.com/auth/devstorage.write_only'.
This option involves creating a service account and granting it the devstorage.write_only access scope. This scope provides write access to Cloud Storage objects but not read access. This is a good option if we only want the Compute Engine instances to write data to the bucket and not read or modify any existing data.
B. Create a service account with an access scope. Use the access scope https://www.googleapis.com/auth/cloud-platform'.
This option involves creating a service account and granting it the cloud-platform access scope. This scope provides full access to all Google Cloud Platform resources, including Cloud Storage. This is a good option if we want the Compute Engine instances to have access to other Google Cloud Platform services in addition to Cloud Storage.
C. Create a service account and add it to the IAM role storage.objectCreator' for that bucket.
This option involves creating a service account and adding it to the storage.objectCreator IAM role for the specific Cloud Storage bucket. This role provides permission to create objects in the bucket, but not modify or delete them. This is a good option if we only want the Compute Engine instances to be able to write new objects to the bucket.
D. Create a service account and add it to the IAM role storage.objectAdmin' for that bucket.
This option involves creating a service account and adding it to the storage.objectAdmin IAM role for the specific Cloud Storage bucket. This role provides full permission to manage objects in the bucket, including read, write, modify, and delete operations. This is a good option if we want the Compute Engine instances to have full control over the objects in the bucket.
Overall, the best option depends on the specific use case and requirements. If we only want the Compute Engine instances to write new objects to the bucket, option C would be appropriate. If we want the Compute Engine instances to have full control over the objects in the bucket, option D would be appropriate. Options A and B provide more limited access scopes, which may be appropriate depending on the use case.