Exam Professional Cloud Architect topic 1 question 10 discussion

A - If client library was not installed, the python scripts won't run - since the question states the script reports "cannot connect" - the client library must have been installed. so it's B or C. B - https://cloud.google.com/bigquery/docs/authorization an access scope is how your client application retrieve access_token with access permission in OAuth when you want to access services via API call - in this case, it is possible that the python script use an API call instead of library, if this is true, then access scope is required. client library requires no access scope (as it does not go through OAuth) C - service account is Google Cloud's best practice So prefer C.

Why not B? It looks better for me.

A and C are correct, but we eliminated A because they mentioned "cannot connect" which means the script can run which means the client library was already installed, so final answer is only "C" "C" was chosen because in order to access BigQuery, the script needs to authenticate and be authorized. The recommended way to do this for applications running on Compute Engine is to use a service account. Create a service account with the appropriate permissions (e.g., "BigQuery Data Editor") to access your BigQuery data. When running the script, make sure it uses the service account credentials to authenticate. This can be done by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the service account key file.

Choose C

I suppose all of them are correct, but we should choose the least effort, B is correct..

Tricky question. However, as you can read in gcloud compute instances create documentation: --scopes=[SCOPE,…] If not provided, the instance will be assigned the default scopes, described below. However, if neither --scopes nor --no-scopes are specified and the project has no default service account, then the instance will be created with no scopes. Note that the level of access that a service account has is determined by a combination of access scopes and IAM roles so you must configure both access scopes and IAM roles for the service account to work properly. So, probably, B is the right one, as for the "new vm", I guess that this is because you don't want to stop the current one before having the working one ready...

C - service account is Google Cloud's best practice

You don't need to create a new VM to have different access scopes: https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam This weakens answer B. When a user-managed service account is attached to the instance, the access scope defaults to cloud-platform: https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice See Step 6 in: https://cloud.google.com/compute/docs/instances/change-service-account#changeserviceaccountandscopes These facts leave C as the valid answer.

C. Create a new service account with BigQuery access and execute your script with that user. Service accounts are used for server-to-server interactions, such as those between a virtual machine and BigQuery. You would need to create a service account that has the necessary permissions to access BigQuery, then download the service account key in JSON format. Once you have the key, you can set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) to the path of the JSON key file before running your script, which will authenticate your requests to BigQuery.

The answer is C https://cloud.google.com/bigquery/docs/authentication For most services, you must attach the service account when you create the resource that will run your code; you cannot add or replace the service account later. Compute Engine is an exception—it lets you attach a service account to a VM instance at any time.

Connecting to BigQuery from a script requires proper authorization. Service accounts provide a secure way to grant access without sharing user credentials.

It should be B, Script cannot be run by user and user cannot be assigned with Service account, SA can be assigned to a VM

C Best practice is that SA with least privilege from a CE should access BQ.

B is silly because there's no need to create a new VM just to change the access scope. You can edit the existing VM's access scope, although you do have to stop it first.

Closest is C. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#gcloud The confusion part is that it should never use the word user to represent service account

Recomended best practice

you need service account to access any service in Google