I have a question about the following question of the Google Associate certification training test :
Category: ACE – Configuring Access and Security
You are running a group of Compute Engine instances on the Google Cloud Platform. You want to set-up the necessary permissions to allow all of your instances to read and write data into a specific Cloud Storage bucket. You want to follow Google-recommended practices.
What should you do?
Here, as it is clearly asked to be read and write permissions, I chose the following answer :
” Using the GCP Console, create a service account with an IAM role of storage.objectAdmin. Use it for your GCE instances to get write permissions on the bucket.”
But it is the following which is marked as the valid one :
” Using the GCP Console, create a service account with an IAM role of storage.objectCreator. Use it for your GCE instances to get write permissions on the bucket.”
My point is that the storage.objectCreator role doesn’t include read permissions where storage.ObjectAdmin does. So could you please clarify why my answer isn’t correct ?