ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Developer All Questions

View all questions & answers for the Professional Cloud Developer exam
Go to Exam

Exam Professional Cloud Developer topic 1 question 310 discussion

Actual exam question from Google's Professional Cloud Developer
Question #: 310
Topic #: 1
[All Professional Cloud Developer Questions]

You are about to deploy an application hosted on a Compute Engine instance with Windows OS and Cloud SQL. You plan to use the Cloud SQL Auth Proxy for connectivity to the Cloud SQL instance. You plan to follow Google-recommended practices and the principle of least privilege. You have already created a custom service account. What should you do next?

  • A. Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
  • B. Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the --unix-socket CLI option.
  • C. Grant the custom service account the roles/cloudsql.editor role.
  • D. Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by anshad666 at Oct. 12, 2024, 8:57 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SahandJ
Highly Voted 9 months ago
Selected Answer: A
Option B recommends using the role "cloudsql.client". This role only has the following two permissions: - cloudsql.instances.connect - cloudsql.instances.get This is great when following the pricinple of least privilege. However, according to the documentation: "The Cloud SQL Auth Proxy currently does not support Unix sockets on Windows, so this option is only available for Linux and macOS platforms". Option C gives the editor role which is too broad and not neccessary. Option D gives viewer role. This looks good at first thought, but it's missing the cloudsql.instances.connect permission that Cloud SQL Auth Proxy requires for connectivity. As such the only answer that fits is A.
upvoted 6 times
09bd94b
4 months, 2 weeks ago
Well explained
upvoted 1 times
...
...
Pime13
Most Recent 4 days, 11 hours ago
Selected Answer: A
Principle of least privilege: Granting only the cloudsql.instances.connect permission ensures the service account has just enough access to connect to the Cloud SQL instance, without broader permissions like editing or viewing instance configurations. Custom role: Creating a custom role with only the required permission aligns with Google-recommended security practices. Cloud SQL Auth Proxy: Requires the service account to have the cloudsql.instances.connect permission to authenticate and establish a secure connection to the Cloud SQL instance. Instance connection name: Must be specified in the proxy command to direct the connection to the correct Cloud SQL instance.
upvoted 1 times
...
anshad666
9 months, 1 week ago
Selected Answer: B
B
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel