Exam Associate Cloud Engineer topic 1 question 165 discussion

D. Ask the partner to create a Service Account in their project, and grant their Service Account access to the BigQuery dataset in your project.

BigQuery is in our project,so we need to create a service account and grant it access BigQuery role.That can make partner company to use this account to use it to access our project's BigQuery.So I vote A.

D is the best answer: - By having the partner create a Service Account and you granting access to it, you maintain ownership and control over your BigQuery data. - You can specifically grant the partner's Service Account the necessary BigQuery permissions (e.g., "BigQuery Data Viewer"), avoiding overly broad access. - Each company manages Service Accounts within their own projects, maintaining a separation of concerns. Why Others Aren't as Ideal: A & B: Creating a Service Account in your project and sharing it with the partner (or vice versa) introduces potential management complexities and blurs the lines of responsibility for that Service Account. C: Giving the partner company full control to grant their own service accounts access to your dataset could open up broader access than intended.

Cross project access. Application in Project A want to access a service in project B. 1. Create a service account in project A. 2. Give the required permission to access the services in project B.

A. Useless if the private key of the Service Account is not shared with the partner (this would not be a good practice in terms of security) B. Not possible. C. Useless as the won't have access to the data in our data warehouse on BigQuery. D. Is the correct answer and follow best practices.

Should be D

"Service accounts are both identities and resources. Because service accounts are identities, you can let a service account access resources in your project by granting it a role, just like you would for any other principal."

had this one today

D is right

https://gtseres.medium.com/using-service-accounts-across-projects-in-gcp-cf9473fef8f0#:~:text=Go%20to%20the%20destination%20project,Voila!

I thought it was A. But when I quickly did some research I found this: "Service accounts are both identities and resources. Because service accounts are identities, you can let a service account access resources in your project by granting it a role, just like you would for any other principal." Thus, the answer is D.

D per my understanding: if the need is to authenticate the application to access your dataset, it's the application's serice account that will be provided during the authentication, so the service account is to be created at their side to run the application, not the other way around.

How is it D? I want to give access to my BigQuery data, so I need to provide the ServiceAccount. I create it, put some decent predefined roles on it, and whenever I stop working with the other company, I either invalidate the JSON key of the SA or I simply delete the SA. For me, it is A.

Answer should be D, as the other company project needs access in your project.

It|s A

D is the answer

I think it is "D" but I have not found such usecase when you share dataset with another organization via service account