Which of the following statements is true?
A) None of the other statements is true.
B) Every instance must have a Service Account attached to it.
C) Service Accounts should be used by GKE nodes and pods but not by GCE instances.
D) You must specify a Service Account when creating an instance or none will be attached.
I’ve chosen B, but according to the simulator the correct answer is A. Regardless of how an instance ends up with a service account, shouldn’t they all have a service account attached to them?
1 Answers
Hello Dino,
A GCE instance only needs a service account if it needs to access resources or APIs outside of the virtual machine such as Cloud Storage or Cloud. So, not every instance must have a service account attached to it. This is especially true when you think of adhering to the Google Cloud Platform’s best practice of "least privilege". Basically, you don’t want an instance with a service account unless it actually needs it.
You can check out the follow links for more details:
Service Accounts – https://cloud.google.com/iam/docs/service-accounts
Decision Process of when and how to add a service account – https://cloud.google.com/iam/docs/understanding-service-accounts
Least Privilege – https://cloud.google.com/iam/docs/using-iam-securely#least_privilege
Excellent question too. You’re definitely thinking critically and on you way to passing the certification.
Thanks!