- A
Generate an API key for the instance and include it in HTTP requests.
Why wrong: API keys are not suitable for service account authentication.
- B
Create a service account and assign the Pub/Sub Publisher role; attach the service account to the instance.
Why wrong: This works but creates an unnecessary custom service account.
- C
Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it.
The default service account is convenient and secure.
- D
Store the service account key file directly on the instance.
Why wrong: Storing key files on disk is insecure.
Compute Engine to Pub/Sub Authentication — Default Service Account | Google Professional Cloud Developer Explained
This PCD practice question tests your understanding of integrating google cloud services. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: default Compute Engine service account. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A developer wants to allow a Compute Engine instance to send messages to a Pub/Sub topic. What is the recommended way to grant permissions?
Quick Answer
The answer is to use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it. This is the recommended approach because every Compute Engine instance is automatically attached to a default service account, which acts as its identity for Google Cloud API calls. By granting the roles/pubsub.publisher IAM role to that service account, you enable the instance to authenticate and send messages to a Pub/Sub topic without managing keys or credentials. On the Google Professional Cloud Developer exam, this scenario tests your understanding of IAM best practices for service-to-service authentication, often appearing as a trap where candidates might choose API keys or a custom service account. The key insight is that the default service account is purpose-built for this pattern, making it both secure and operationally simple. Memory tip: think "Default does the work" — the default service account is your go-to for Compute Engine to Pub/Sub auth.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it.
Option C is correct because the default Compute Engine service account is automatically created for each project and attached to instances by default. By assigning the Pub/Sub Publisher role to this service account, the instance can authenticate and publish messages to a Pub/Sub topic without managing keys or credentials, following Google Cloud's recommended IAM best practices.
Key principle: Default Compute Engine service account
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Generate an API key for the instance and include it in HTTP requests.
Why it's wrong here
API keys are not suitable for service account authentication.
- ✗
Create a service account and assign the Pub/Sub Publisher role; attach the service account to the instance.
Why it's wrong here
This works but creates an unnecessary custom service account.
- ✓
Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it.
Why this is correct
The default service account is convenient and secure.
Related concept
Default Compute Engine service account
- ✗
Store the service account key file directly on the instance.
Why it's wrong here
Storing key files on disk is insecure.
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common trap is to assume that a dedicated, custom service account must be created for each instance. However, the default Compute Engine service account is pre-configured and sufficient for many use cases, simplifying credential management. Option B is a valid approach but is not the *recommended* default; option C is simpler and follows best practices.
Detailed technical explanation
How to think about this question
Under the hood, the Compute Engine default service account is automatically granted the IAM role 'roles/iam.serviceAccountUser' and its credentials are managed via the instance metadata server (accessible at 169.254.169.254). When an application on the instance calls the Pub/Sub API, the client library automatically retrieves an OAuth 2.0 access token from the metadata server, which is then used to authenticate the request. This eliminates the need to store or rotate service account keys, and the token is automatically refreshed, providing a secure and scalable authentication mechanism.
KKey Concepts to Remember
- Default Compute Engine service account
- Pub/Sub Publisher role
- IAM best practices
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Default Compute Engine service account
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review default Compute Engine service account, then practise related PCD questions on the same topic to reinforce the concept.
- →
Integrating Google Cloud services — study guide chapter
Learn the concepts, then practise the questions
- →
Integrating Google Cloud services practice questions
Targeted practice on this topic area only
- →
All PCD questions
999 questions across all exam domains
- →
Google Professional Cloud Developer study guide
Full concept coverage aligned to exam objectives
- →
PCD practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PCD practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Manage a Solution that Can Span Multiple Database Systems practice questions
Practise PCD questions linked to Manage a Solution that Can Span Multiple Database Systems.
Deploy Scalable and Highly Available Databases in Google Cloud practice questions
Practise PCD questions linked to Deploy Scalable and Highly Available Databases in Google Cloud.
Design Scalable and Highly Available Cloud Database Solutions practice questions
Practise PCD questions linked to Design Scalable and Highly Available Cloud Database Solutions.
Migrate Data Solutions practice questions
Practise PCD questions linked to Migrate Data Solutions.
Designing highly scalable, available, and reliable cloud-native applications practice questions
Practise PCD questions linked to Designing highly scalable, available, and reliable cloud-native applications.
Building and testing applications practice questions
Practise PCD questions linked to Building and testing applications.
Deploying applications practice questions
Practise PCD questions linked to Deploying applications.
Integrating Google Cloud services practice questions
Practise PCD questions linked to Integrating Google Cloud services.
Managing application performance monitoring practice questions
Practise PCD questions linked to Managing application performance monitoring.
PCD fundamentals practice questions
Practise PCD questions linked to PCD fundamentals.
PCD scenario practice questions
Practise PCD questions linked to PCD scenario.
PCD troubleshooting practice questions
Practise PCD questions linked to PCD troubleshooting.
Practice this exam
Start a free PCD practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PCD question test?
Integrating Google Cloud services — This question tests Integrating Google Cloud services — Default Compute Engine service account.
What is the correct answer to this question?
The correct answer is: Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it. — Option C is correct because the default Compute Engine service account is automatically created for each project and attached to instances by default. By assigning the Pub/Sub Publisher role to this service account, the instance can authenticate and publish messages to a Pub/Sub topic without managing keys or credentials, following Google Cloud's recommended IAM best practices.
What should I do if I get this PCD question wrong?
Review default Compute Engine service account, then practise related PCD questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Default Compute Engine service account
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
1 more ways this is tested on PCD
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company wants to send events from a custom application to Cloud Pub/Sub, then process them with a Cloud Run service. The application runs on Compute Engine. What is the simplest way for the application to authenticate to Pub/Sub?
easy- A.Use an API key for the Pub/Sub API.
- B.Embed a service account JSON key in the application code.
- C.Set up Cloud Endpoints to proxy the Pub/Sub requests.
- ✓ D.Attach a service account to the Compute Engine instance with necessary Pub/Sub roles.
Why D: Option D is correct because attaching a service account to the Compute Engine instance allows the application to automatically obtain credentials via the instance metadata server, which is the simplest and most secure method. Option A is wrong because API keys are not used for authentication to Pub/Sub; they lack identity-based access control. Option B is wrong because embedding a service account JSON key in the code is insecure and not best practice. Option C is wrong because Cloud Endpoints adds unnecessary complexity for this use case and is not the simplest approach.
Keep practising
More PCD practice questions
- A company is deploying a microservices architecture on GKE. They need to expose a set of related microservices under a s…
- You need to monitor the CPU usage of a Compute Engine instance and trigger an alert when it exceeds 80% for 5 minutes. W…
- A Cloud Bigtable instance has a single cluster. To improve availability and read throughput, the team decides to add a s…
- A developer wants to enable IAM database authentication for Cloud SQL for PostgreSQL. Which IAM role must be granted to…
- A company is using Cloud Bigtable for a time-series workload. They want to monitor performance and identify hot spots. W…
- A company wants to run hybrid transactional/analytical processing (HTAP) workloads on a PostgreSQL-compatible database w…
Last reviewed: Jul 4, 2026
This PCD practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCD exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.