Exam Associate Cloud Engineer topic 1 question 116 discussion

D cuz u just need read for DB at the other project

C is correct..

It is D. Tested and approved that you do not need BigQuery permissions on the web-app project to access data on the bq tables stored in the crm-dbs project. You do need bq permissions for the SA on the crm project and compute permissions for the same SA on the web-app project. Then, using this SA on a VM on the web-app server, you can access data from bq on the crm-dbs project

Explanation: Least Privilege Principle: This approach adheres to the principle of least privilege by granting the minimum necessary permissions. Project Owner: The crm-databases-proj project needs full control to manage its resources. bigquery.dataViewer: The web-applications project only needs read access to BigQuery datasets in the crm-databases-proj project. Why other options are less suitable: A: Giving project owner to web-applications provides unnecessary permissions. B: Giving project owner to both projects grants excessive permissions. D: Giving bigquery.dataViewer to crm-databases-proj is incorrect as this project needs full control over its resources. By following option C, you ensure that the web-applications project has the required access to BigQuery datasets without compromising security.

Let's analyze the options: A & B: Granting "project owner" gives excessive permissions, violating the least privilege principle. C: Granting "project owner" to crm-databases-proj is unnecessary. D: Granting "bigquery.dataViewer" to crm-databases-proj allows the VM access to datasets and aligns with least privilege. Granting appropriate roles to web-applications secures the web application itself (not shown in this scenario). Therefore, option D is the recommended approach.

Project owner role is not required here, so that leaves us with only Option D

A, b & c is wrong. Keywords is configuring aervice account. A,b & c concerns user account. Correct answer is D

None of the options is correct. As for D: This option is unclear and potentially misleading. The bigquery.dataViewer role should be assigned specifically to the service account in the web-applications project, not to the crm-databases-proj project.

Damn! All the four options are correct :-D for the question given :-)

The correct answer is C

D is the correct answer, because all other option giveing access to project owner

Corrct Answer is D. Lets just read the options D this way, then it makes sense Give service account the bigquery.dataViewer role to crm-databases-proj and service account the appropriate roles to web-applications.

Thanks guys for making that clear for me. Now simply guys, among all the answers, D is giving to the web-application proj the appropriate role, while giving the crm-databases-proj the least privilege role.

Correct answer is D As basic roles (including Owner) should not be used in production environment:

C is correct..

I dont get the question. It says "web-applications project need access to BigQuery datasets in crm-databases-proj" And all you folks stating C or D is the correct one. Why would we want to give those permissions to the DB? When the question clearly states that the web-app is the one that needs access to the DB?

It says 'web-applications project need access to BigQuery datasets in crm-databases-proj'. Therefore, give web-applications the BigQuery Data Viewer role - not the other way around. Why would crm-databases-proj need this role in this situation?