Default scopes to storage in instances or instances templates is READ ONLY, and teacher sets these to WRITE ONLY. Why? Why not READ WRITE?
The startup script that is attached to the instance will create a txt file and write it to storage bucket. So the GCE instance needs WRITE permission. There is no other use case where the instance needs to read the files in storage bucket, so WRITE ONLY is sufficient and agrees with least privilege principle.