Exam Professional Cloud DevOps Engineer topic 1 question 2 discussion

I think it's C, because dashboard viewer "Read-only access to dashboard configurations." SRE team wants to view data, not configurations.

I did a test and see that: The valid roles are: Monitoring Viewer and Monitoring Dashboard Configuration Viewer. You can only share chart by URL using Metrics explorer. With only Monitoring Dashboard Configuration Viewer role, user cannot see anything in Monitoring page. I create a custom role from Monitoring Dashboard Configuration Viewer role and add resourcemanager.projects.get permission. Now user can see list of custom dashboards and the charts in these custom dashboards. User cannot see standard GCP dashboards. User cannot see the the chart in Metrics explorer (using the shared URL). Opening the URL, user will see errors: "Invalid resource type" and "Invalid metric type". So even if I ignore the typo of Dashboard Viewer role in B and D, they are still incorrect answers. So only A and C are valid. But I think C is better because the question is: "You want to share the chart" not the whole dashboard.

The most restrictive and correct option is B. Sharing the workspace Project ID and assigning the roles/monitoring.dashboardViewer role grants the SRE team only the ability to view dashboards. They won't have access to other Monitoring features or resources within the project. This adheres to the principle of least privilege. Option A is too broad. The roles/monitoring.viewer role grants read access to all monitoring data, not just the specific chart. Options C and D are unsuitable because "Share chart by URL" makes the chart publicly accessible to anyone with the link, violating the requirement of sharing only with the SRE team and least privilege principle. Even with a Viewer role assigned, the URL method bypasses specific IAM controls.

100% C

Ans: C this question is kind of weird because the role is: roles/monitoring.dashboardViewer "Monitoring Dashboard Configuration Viewer" but monitoring viewer its too much access so I tested in console https://cloud.google.com/iam/docs/understanding-roles with Dashboard Viewer I would´nt be allowed to see the chart URL with monitoring works fine Dashboard Viewer Provides read-only access to get and list information about all monitoring data and configurations.

C There are a number of IAM security roles related to monitoring. The big three are viewer, editor, and admin. To create the monitoring Workspace initially, a user will need the Monitoring Editor or Admin role in the Workspace's host project. The Monitoring Viewer can get read-only access to the Monitoring console and API. The Monitoring Editor has read-write access to the Monitoring console and APIs and can write monitoring data and configurations into the Workspace. And the Monitoring Admin has full access to, and control over, all monitoring resources. Past these big three roles, monitoring roles exist to provide and limit access to alert policies, dashboards, notification channels, service monitoring, and uptime checks.

The best option in this case would be C. Click "Share chart by URL" and provide the URL to the SRE team. Assign the SRE team the Monitoring Viewer IAM role in the workspace project. This option allows you to share the specific chart with the SRE team only, granting them read-only access to the chart's data, this way the team can view the CPU utilization chart and troubleshoot any performance issues related to the chart. You can use the feature of "Share chart by URL" to share the specific chart with the SRE team only, and provide a secure URL that can only be access by members of the team. And also giving them the "Monitoring Viewer" role, will give them just enough privilege to see the chart and its data but not the ability to make changes to the project, dashboard or other charts.

D) Dashboard viewer follows the principle of least privileges.

My vote is C

Option A grants the SRE team more access than necessary. The Monitoring Viewer role allows them to view all monitoring data in the project, not just the chart you want to share. Option B is a good option, but it is not as secure as option D. The Dashboard Viewer role allows the SRE team to view all dashboards in the project, not just the chart you want to share. Option C is not secure. Anyone who has the URL can view the chart, even if they are not a member of the SRE team. Option D is the most secure option. It allows the SRE team to view the chart without giving them access to any other data in the project. Here are the steps on how to share the chart with the SRE team:

There is no such role as "Dashboard Viewer"

The answer is C because : Dashboard viewer role not exists , monitor-viewer only https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer and Cloud Monitoring allows you to share the URL of the individual Dashboard and not of the entire project ID

It is the right answer

Ans: C Exam take on 19/12/2022, 50/50 from this dump without buying the full access.

I think is A, because there isn't any button "Share chart by URL", and least role is Monitoring Viewer (Dashboard viewer can see only dashboard configurations)

Decided to go for A on the exam because there is no "Share chart by URL" button, it's just "Share by URL".

i think it is A, i assume add chart into custom/default dashboard is best practice for creating chart and share URL would more like one time trade. Metrics Explorer lets you create a chart that you can use to explore a metric. However, the charts created by this tool aren't persistent. When you navigate away from the Metrics Explorer page, the chart is discarded. To save a chart you've configured with Metrics Explorer for future reference, add the chart to a custom dashboard or save the chart's URL: To keep a reference to the chart configuration, save the chart URL. Because the chart URL encodes the chart configuration, when you paste this URL into a browser the chart you configured is displayed.