Exam Associate Cloud Engineer topic 1 question 258 discussion

D is the least privilege and Google's recommended practices.

The question does not describe any project requiring "owner" role access, hence granting that role to any of the project would violate least privilege. Can argue that crm-databases should have full access hence need owner role, but question does not mention specifically, and we only assume that.

I had my exam today and select A. I did only because of these sentence "service accounts for an application that spans multiple projects ." not 100% sure if it's correct but service account for web apps needs permissions to span projects. Maybe I got it wrong but A makes sense. It's tricky cause you don't know if web-apps will also do some updates on BigQuery or not.

D is the best answer and, for me, it was a process of elimination. The Project Owner role grants far-reaching permissions beyond what's needed for reading BQ datasets, violating the principle of least privilege.

Interpreting 'Project Owner' as the responsible entity, and not as the 'Project Owner' IAM role in Google Cloud: In this case, the instruction directs the person or entity managing the 'web-applications' project to grant appropriate roles for accessing the 'crm-databases' project. If this interpretation aligns with the intent of Option A, then it would indeed be a correct approach. Otherwise, none of the provided options would be correct.

It is 116 question. The answer is D.

Per ChatGPT, Option D aligns with the principle of least privilege, provides separation of concerns between projects, and allows for granular access control, making it the best choice for granting access to the service account in the web-applications project to access BigQuery datasets in the crm-databases project while following Google-recommended practices.

D. Grant roles/bigquery.dataViewer role to crm-databases and appropriate roles to web-applications.