The correct answer is A. Add the Logs Writer role to the service account.
To use Cloud Logging, the service account attached to the Compute Engine instance must have the necessary permissions to write log entries. The Logs Writer role (roles/logging.logWriter) provides this permission.You can grant this role to the user-managed service account at the project, folder, or organization level1.
Private Google Access is not required for Cloud Logging, as it allows instances without external IP addresses to access Google APIs and services2.The default Compute Engine service account already has the Logs Writer role, but it is not a recommended practice to use it for user applications3.Exporting the service account key and configuring the agents to use the key is not a secure way of authenticating the service account, as it exposes the key to potential compromise4.
[References:, 1:Access control with IAM | Cloud Logging | Google Cloud, 2: Private Google Access overview | VPC | Google Cloud, 3: Service accounts | Compute Engine Documentation | Google Cloud, 4: Best practices for securing service accounts | IAM Documentation | Google Cloud, , , , ]
Submit