A company trains models using Vertex AI Training and wants to share the resulting model artifacts with a different team in another Google Cloud project. What is the most secure way to grant access?
Least privilege, secure cross-project access.
Why this answer
Option D is correct because it follows the principle of least privilege and cross-project access best practices. By creating a dedicated service account in the target project and granting it the 'roles/storage.objectViewer' role on the specific Cloud Storage bucket, you avoid exposing the bucket publicly and avoid sharing the Vertex AI model resource directly, which would grant broader permissions than necessary. This approach ensures that only the service account can read the model artifacts, and the other team can use that service account to access the bucket securely.
Exam trap
The trap here is that candidates often confuse sharing the Vertex AI model resource (which controls access to the model metadata and endpoint) with sharing the underlying artifacts in Cloud Storage, leading them to choose option B, which does not grant the necessary read access to the actual model files.
How to eliminate wrong answers
Option A is wrong because BigQuery is a data warehouse service, not a mechanism for copying or sharing model artifacts; model artifacts are stored in Cloud Storage, and BigQuery cannot be used to copy or grant access to those files. Option B is wrong because sharing the Vertex AI model resource directly via IAM grants access to the model metadata and endpoints, but does not grant access to the underlying model artifacts stored in Cloud Storage; the other team would still need separate permissions on the bucket. Option C is wrong because setting the Cloud Storage bucket to 'public' access would allow anyone on the internet to read the artifacts, violating security best practices and potentially exposing proprietary or sensitive model data.