exam questions

Exam Professional Cloud Architect All Questions

View all questions & answers for the Professional Cloud Architect exam

Exam Professional Cloud Architect topic 1 question 10 discussion

Actual exam question from Google's Professional Cloud Architect
Question #: 10
Topic #: 1
[All Professional Cloud Architect Questions]

You write a Python script to connect to Google BigQuery from a Google Compute Engine virtual machine. The script is printing errors that it cannot connect to
BigQuery.
What should you do to fix the script?

  • A. Install the latest BigQuery API client library for Python
  • B. Run your script on a new virtual machine with the BigQuery access scope enabled
  • C. Create a new service account with BigQuery access and execute your script with that user
  • D. Install the bq component for gcloud with the command gcloud components install bq.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
kalschi
Highly Voted 4 months, 2 weeks ago
A - If client library was not installed, the python scripts won't run - since the question states the script reports "cannot connect" - the client library must have been installed. so it's B or C. B - https://cloud.google.com/bigquery/docs/authorization an access scope is how your client application retrieve access_token with access permission in OAuth when you want to access services via API call - in this case, it is possible that the python script use an API call instead of library, if this is true, then access scope is required. client library requires no access scope (as it does not go through OAuth) C - service account is Google Cloud's best practice So prefer C.
upvoted 99 times
rishab86
3 years, 3 months ago
Access scopes are the legacy method of specifying permissions for your instance. read from > https://cloud.google.com/compute/docs/access/service-accounts . So , I would go with C
upvoted 11 times
...
Vika
3 years, 11 months ago
agreed to comment here . C seems like a good option
upvoted 4 times
...
MQQNB
2 years, 5 months ago
agree access scope is enabled by default https://cloud.google.com/bigquery/docs/authorization#authenticate_with_oauth_20 If you use the BigQuery client libraries, you do not need this information, as this is done for you automatically.
upvoted 2 times
...
Musk
4 years, 7 months ago
Might be an old version
upvoted 4 times
...
...
KouShikyou
Highly Voted 5 years, 3 months ago
Why not B? It looks better for me.
upvoted 13 times
techalik
4 years, 2 months ago
Configure the Python API to use a service account with relevant BigQuery access enabled. is the right answer. It is likely that this service account this script is running under does not have the permissions to connect to BigQuery and that could be causing issues. You can prevent these by using a service account that has the necessary roles to access BigQuery. Ref: https://cloud.google.com/bigquery/docs/reference/libraries#cloud-console A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Ref: https://cloud.google.com/iam/docs/service-accounts
upvoted 6 times
...
tartar
4 years, 6 months ago
C is ok
upvoted 11 times
tartar
4 years, 5 months ago
Sorry, B is ok. You can create service account, add user to service account, and grant the user role as Service Account User. You still need to enable BigQuery scope to make the Python script running the instance to access BigQuery.
upvoted 15 times
cloudguy1
4 years, 5 months ago
Stop confusing people, B) doesn't make any sense. Why would you use or create a whole new VM just because of a permission issue? If anything, just stop the instance and edit the scope of the default Compute Service Account and grant it the role through IAM. C) is the most appropriate answer since you can only set scopes of the default Compute Service Account, if you're using any other, there's no scope option - its access is dictated strictly by IAM in such scenario. So C) is the answer: Stop the VM, change the Service Account with the appropriate permissions and done. B) would still need to have permission the set through IAM & Admin, the scope isn't enough with the default Compute Service Account.
upvoted 36 times
certificatores
4 years, 2 months ago
cloud guy1, relax. tartar is the hero for google cloud and if you read his answer, he explains the service account user's role granting on this one as that is the best practice
upvoted 4 times
...
...
...
...
nitinz
3 years, 11 months ago
C, no brainer. You need SA for using API period. Thats where your start your troubleshooting.
upvoted 6 times
[Removed]
2 years, 1 month ago
Create a new service account with BigQuery access and execute your script with that user: If you want to run the script on an existing virtual machine, you can create a new service account with the necessary permissions to access BigQuery and then execute the script using that service account. This will allow the script to connect to BigQuery and access the data it needs.
upvoted 2 times
...
nitinz
3 years, 11 months ago
I stand corrected, B you need to have scope. It is union of Scope + Service Account. If scope is not there, you are screwed anyways.
upvoted 2 times
...
...
...
hpf97
Most Recent 1 week, 1 day ago
Selected Answer: C
A & D does not deal about connection C : is mandatory for security reason B : could be true but here is always a "default" scope. And the error message is about connection not access. And it is for OAuth2 which we do not know if the python script uses it.
upvoted 1 times
...
ryaryarya
1 month ago
Selected Answer: B
This is obviously a really old question. The best answer is B. Here's why: - There was a time when you couldn't update access scopes on a VM and had to create a new one if the scopes needed to change (which was painful). - Without access scopes enabled, Google will block access to those APIs, so a new service account isn't enough, even if IAM was a problem. - The question just says that the script 'cannot connect' to BQ - it doesn't mention permissions.
upvoted 1 times
...
gcloud007
1 month, 1 week ago
Selected Answer: B
Actually the correct answer is B, reason is , you need to define the scope first, service accounts comes later.
upvoted 1 times
...
Ekramy_Elnaggar
2 months, 3 weeks ago
Selected Answer: C
A and C are correct, but we eliminated A because they mentioned "cannot connect" which means the script can run which means the client library was already installed, so final answer is only "C" "C" was chosen because in order to access BigQuery, the script needs to authenticate and be authorized. The recommended way to do this for applications running on Compute Engine is to use a service account. Create a service account with the appropriate permissions (e.g., "BigQuery Data Editor") to access your BigQuery data. When running the script, make sure it uses the service account credentials to authenticate. This can be done by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the service account key file.
upvoted 1 times
...
Hungdv
6 months ago
Choose C
upvoted 1 times
...
kingfighers
8 months ago
I suppose all of them are correct, but we should choose the least effort, B is correct..
upvoted 1 times
kingfighers
8 months ago
run script on a new vm, not create a new vm..
upvoted 1 times
...
...
a2le
8 months ago
Selected Answer: C
Tricky question. However, as you can read in gcloud compute instances create documentation: --scopes=[SCOPE,…] If not provided, the instance will be assigned the default scopes, described below. However, if neither --scopes nor --no-scopes are specified and the project has no default service account, then the instance will be created with no scopes. Note that the level of access that a service account has is determined by a combination of access scopes and IAM roles so you must configure both access scopes and IAM roles for the service account to work properly. So, probably, B is the right one, as for the "new vm", I guess that this is because you don't want to stop the current one before having the working one ready...
upvoted 2 times
...
Robert0
8 months, 2 weeks ago
Selected Answer: C
C - service account is Google Cloud's best practice
upvoted 1 times
...
researched_answer_boi
9 months, 2 weeks ago
Selected Answer: C
You don't need to create a new VM to have different access scopes: https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam This weakens answer B. When a user-managed service account is attached to the instance, the access scope defaults to cloud-platform: https://cloud.google.com/compute/docs/access/service-accounts#scopes_best_practice See Step 6 in: https://cloud.google.com/compute/docs/instances/change-service-account#changeserviceaccountandscopes These facts leave C as the valid answer.
upvoted 2 times
...
santoshchauhan
11 months ago
Selected Answer: C
C. Create a new service account with BigQuery access and execute your script with that user. Service accounts are used for server-to-server interactions, such as those between a virtual machine and BigQuery. You would need to create a service account that has the necessary permissions to access BigQuery, then download the service account key in JSON format. Once you have the key, you can set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) to the path of the JSON key file before running your script, which will authenticate your requests to BigQuery.
upvoted 3 times
Powerboy
11 months ago
better than creating and downloading a service account key would be to impersonate the service account
upvoted 1 times
...
...
tosinogunfile
1 year ago
The answer is C https://cloud.google.com/bigquery/docs/authentication For most services, you must attach the service account when you create the resource that will run your code; you cannot add or replace the service account later. Compute Engine is an exception—it lets you attach a service account to a VM instance at any time.
upvoted 1 times
...
hzaoui
1 year ago
Selected Answer: C
Connecting to BigQuery from a script requires proper authorization. Service accounts provide a secure way to grant access without sharing user credentials.
upvoted 1 times
...
public_figure
1 year, 1 month ago
It should be B, Script cannot be run by user and user cannot be assigned with Service account, SA can be assigned to a VM
upvoted 1 times
...
thewalker
1 year, 2 months ago
C Best practice is that SA with least privilege from a CE should access BQ.
upvoted 1 times
...
spatters
1 year, 3 months ago
B is silly because there's no need to create a new VM just to change the access scope. You can edit the existing VM's access scope, although you do have to stop it first.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago