1 Answers
Hello Dino,
A GCE instance only needs a service account if it needs to access resources or APIs outside of the virtual machine such as Cloud Storage or Cloud. So, not every instance must have a service account attached to it. This is especially true when you think of adhering to the Google Cloud Platform’s best practice of "least privilege". Basically, you don’t want an instance with a service account unless it actually needs it.
You can check out the follow links for more details:
Service Accounts – https://cloud.google.com/iam/docs/service-accounts
Decision Process of when and how to add a service account – https://cloud.google.com/iam/docs/understanding-service-accounts
Least Privilege – https://cloud.google.com/iam/docs/using-iam-securely#least_privilege
Excellent question too. You’re definitely thinking critically and on you way to passing the certification.
Thanks!