Exam Associate Cloud Engineer topic 1 question 116 discussion

D cuz u just need read for DB at the other project

C is correct..

Here’s how to interpret the wording: "Give bigquery.dataViewer role to crm-databases-proj" means that you update the IAM policy for the crm-databases-proj project (or specifically the BigQuery datasets within that project) so that the service account (which is part of the web-applications project) gets the BigQuery Data Viewer role.

I find this question confusing, in Google Cloud IAM, roles are granted to members, not directly to projects. Why are all the options to give roles to projects?

It is D. Tested and approved that you do not need BigQuery permissions on the web-app project to access data on the bq tables stored in the crm-dbs project. You do need bq permissions for the SA on the crm project and compute permissions for the same SA on the web-app project. Then, using this SA on a VM on the web-app server, you can access data from bq on the crm-dbs project

Explanation: Least Privilege Principle: This approach adheres to the principle of least privilege by granting the minimum necessary permissions. Project Owner: The crm-databases-proj project needs full control to manage its resources. bigquery.dataViewer: The web-applications project only needs read access to BigQuery datasets in the crm-databases-proj project. Why other options are less suitable: A: Giving project owner to web-applications provides unnecessary permissions. B: Giving project owner to both projects grants excessive permissions. D: Giving bigquery.dataViewer to crm-databases-proj is incorrect as this project needs full control over its resources. By following option C, you ensure that the web-applications project has the required access to BigQuery datasets without compromising security.

Let's analyze the options: A & B: Granting "project owner" gives excessive permissions, violating the least privilege principle. C: Granting "project owner" to crm-databases-proj is unnecessary. D: Granting "bigquery.dataViewer" to crm-databases-proj allows the VM access to datasets and aligns with least privilege. Granting appropriate roles to web-applications secures the web application itself (not shown in this scenario). Therefore, option D is the recommended approach.

Project owner role is not required here, so that leaves us with only Option D

A, b & c is wrong. Keywords is configuring aervice account. A,b & c concerns user account. Correct answer is D

None of the options is correct. As for D: This option is unclear and potentially misleading. The bigquery.dataViewer role should be assigned specifically to the service account in the web-applications project, not to the crm-databases-proj project.

Damn! All the four options are correct :-D for the question given :-)

The correct answer is C

D is the correct answer, because all other option giveing access to project owner

Corrct Answer is D. Lets just read the options D this way, then it makes sense Give service account the bigquery.dataViewer role to crm-databases-proj and service account the appropriate roles to web-applications.

Thanks guys for making that clear for me. Now simply guys, among all the answers, D is giving to the web-application proj the appropriate role, while giving the crm-databases-proj the least privilege role.

Correct answer is D As basic roles (including Owner) should not be used in production environment:

C is correct..