Exam Professional Cloud Database Engineer topic 1 question 53 discussion

roles/cloudsql.instanceUser: This role allows the service account to connect to Cloud SQL instances. It provides the necessary permissions to access and read data from the Cloud SQL database without granting excessive permissions like editing or administrative capabilities. roles/spanner.databaseUser: This role grants the service account permission to read and write data within Cloud Spanner databases. It allows the service account to update tables in Cloud Spanner, which is necessary for your use case.

Y'all should read the documentation. Seems like none of you actually know anything about IAM? the cloudsql.viewer roles has: cloudsql.*.export cloudsql.*.get cloudsql.*.list cloudsql.instances.listServerCas cloudsql.instances.listServerCertificates in addition to a bunch of recommender permissions. roles/cloudsql.instanceUser only has two permissions: cloudsql.instances.get cloudsql.instances.login Some of you may think that this includes "Cloud SQL Admin", but that's wrong. As mentioned, read the docs more thoroughly, it says: "The following table lists each permission that Cloud SQL supports, the Cloud SQL roles that include it, and its basic role". A role has a permission, not the other way around. So, cloudsql.instances.get is part of Cloud SQL Admin, Client, Editor etc.

Should be A. Because roles/cloudsql.instanceUser has the cloudsql.instances.get role, which has the following roles included: Cloud SQL Admin Cloud SQL Client Cloud SQL Editor Cloud SQL Viewer This compromise “least privilege” requirements

I think it should be A because the roles/cloudsql.instanceUser role only has: cloudsql.instances.get cloudsql.instances.login You won't even be able to view anything with that role. https://cloud.google.com/sql/docs/mysql/iam-roles

To me, it is also "D", InstanceUser only has 2 permissions and Viewer has like 50 of them

The current answer is => D. roles/cloudsql.instanceUser and roles/spanner.databaseUser. roles/cloudsql.instanceUser: This role allows the service account to connect to Cloud SQL instances

Will go by A

Correct Ans = A Explanation: To read data out of Cloud SQL for SQL Server, you need to use a service account with the roles/cloudsql.viewer role on the Cloud SQL instance. This role grants the service account permission to read data from the instance. Whereas roles/cloudsql.instanceUser will only allow to login to cloud SQL instance. No resource will be allowed to view. To update a table in Cloud Spanner, you need to use a service account with the roles/spanner.databaseUser role on the Cloud Spanner instance. This role grants the service account permission to read and write data in the Spanner database.

between A or D. But roles/cloudsql.viewer to broad, so i choose D

D. I think that instanceUser had the necessary permissions to read data: https://cloud.google.com/sql/docs/sqlserver/iam-roles#roles:~:text=roles/cloudsql.instanceUser

We want to apply least privilege and need to read data out of Cloud SQL for SQL Server only, `roles/cloudsql.viewer` is good enough to statisfy the those requirement, that filters out B, C, and D already https://cloud.google.com/sql/docs/sqlserver/iam-roles#roles

To read data out of Cloud SQL for SQL Server, you need to use a service account with the roles/cloudsql.instanceUser role on the Cloud SQL instance. This role grants the service account permission to read data from the instance. To update a table in Cloud Spanner, you need to use a service account with the roles/spanner.databaseUser role on the Cloud Spanner instance. This role grants the service account permission to read and write data in the Spanner database. Therefore, to grant least privilege access, you should assign the service account only the required roles, which are roles/cloudsql.instanceUser and roles/spanner.databaseUser.

A. You need read access in Cloud SQL for SQL Server and read/write access in Cloud Spanner. Admin permissions are not required so eliminate B. roles/spanner.database Reader would not provide write access, so eliminate C. roles/cloudsql.viewer provides read only access to Cloud SQL resources. That eliminates D, leaving A.

Ans should be D for minimum access roles/cloudsql.instanceUser : Allowing to login and get roles/spanner.databaseUser: read and write

A is the correct answer

A: roles/cloudsql.viewer ***** and roles/spanner.databaseUser *****

https://cloud.google.com/spanner/docs/iam#:~:text=roles/spanner.databaseUser%20contains%20the%20permissions%20spanner.databases.read%20and%20spanner.databases.write https://cloud.google.com/sql/docs/mysql/iam-roles#:~:text=roles/cloudsql.viewer,to%20all%20Cloud%20SQL%20resources.