Exam Professional Data Engineer topic 1 question 295 discussion

- Dataflow service agent is the one responsible for setting up and managing the network resources that Dataflow requires. - By granting the compute.networkUser role to this service agent, we are enabling it to provision the necessary network resources within the Shared VPC for your Dataflow job.

From https://cloud.google.com/dataflow/docs/guides/specifying-networks, it says "Make sure the Shared VPC subnetwork is shared with the Dataflow service account and has the Compute Network User role assigned on the specified subnet. The Compute Network User role must be assigned to the Dataflow service account in the host project."

If you see in the comments, A was answer by people around 8 months ago but recent ones have answered B with the documentation. The GCP documentation evolves with time

service account that executes the Dataflow pipeline It's straight forward

Assign the compute.networkUser role to the service account that executes the Dataflow pipeline

The correct answer is B. Assign the compute.networkUser role to the service account that executes the Dataflow pipeline. Here's why: Shared VPC and Network Access: When using a Shared VPC, you need to grant specific permissions to service accounts in the service project (where your Dataflow pipeline runs) to access resources in the host project's network. compute.networkUser Role: This role grants the necessary permissions for a service account to use the network resources in the Shared VPC. This includes accessing subnets, creating instances, and communicating with other services within the network. Service Account for Pipeline Execution: The service account that executes your Dataflow pipeline is the one that needs these network permissions. This is because the Dataflow service uses this account to create and manage worker instances within the Shared VPC network.

Dataflow service agent is a role that is assigned to a service account. So is compute.networkUser. https://cloud.google.com/dataflow/docs/concepts/access-control#example

Option B https://cloud.google.com/knowledge/kb/dataflow-job-in-shared-vpc-xpn-permissions-000004261

I believe the answer is B. All authentication documentation points to Service Accounts. https://cloud.google.com/dataflow/docs/concepts/authentication#on-gcp Dataflow service agent typically manages general interactions with the Dataflow service but does not execute the actual jobs.

All projects that have used the resource Dataflow Job have a Dataflow Service Account, also known as the Dataflow service agent. Make sure the Shared VPC subnetwork is shared with the Dataflow service account and has the Compute Network User role assigned on the specified subnet.

Option A, I do agree with Raaad, it's the dataflow service agent that needs the networkUser role, because it's the one that provisions the network resources https://cloud.google.com/dataflow/docs/guides/specifying-networks#shared

compute.networkUser to the service account that executes the Dataflow pipeline.

Option B is Correct. Explanation: You need to give compute networkuser role to service account that is processing the pipeline as it will need to deploy nessesary worker nodes on the shared vpc project. Option A is incorrect as Dataflow Service Agent is Google MGS service account that will not responsible for running or deoplying workers in shared vpc. Option C and D is incorrect as dataflow.admin is elevated privlages to create and manage all of dataflow components not deploying resources in shared vpc.

B. Assign the compute.networkUser role to the service account that executes the Dataflow pipeline. See the ref - https://cloud.google.com/dataflow/docs/guides/specifying-networks