To provide temporary write access to a Cloud Storage bucket with the minimum permissions necessary, you should:
Identify the Compute Engine instance’s default service account: Each Compute Engine instance has a default service account that is used to interact with other Google Cloud services.
Assign the storage.objectCreator role: This predefined IAM role grants permissions to create objects in a Cloud Storage bucket, which is sufficient for temporary write access. It does not grant permissions to read or delete objects, thus adhering to the principle of least privilege.
Avoid using full permissions or long-lived keys: Options A and C suggest using broader permissions than necessary or embedding long-lived keys, which could pose a security risk if compromised.
Service account impersonation (Option D) is not necessary for this task and would be more appropriate for scenarios where you need to assume a different identity with different permissions.
[References:, Google Cloud documentation on IAM roles for Cloud Storage, which lists the storage.objectCreator role as providing permissions to create objects without granting full administrative access to the bucket1., Best practices for access control in Cloud Storage recommend using the least privilege necessary and avoiding the use of long-lived service account keys2., , , ]
Submit