Google Cloud Associate Cloud Engineer — Question 110

You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-databases-proj. You want to follow Google-recommended practices to give access to the service account in the web-applications project. What should you do?

Answer options

• A. Give ג€project ownerג€ for web-applications appropriate roles to crm-databases-proj.
• B. Give ג€project ownerג€ role to crm-databases-proj and the web-applications project.
• C. Give ג€project ownerג€ role to crm-databases-proj and bigquery.dataViewer role to web-applications.
• D. Give bigquery.dataViewer role to crm-databases-proj and appropriate roles to web-applications.

Correct answer: D

Explanation

The correct answer is D because it follows the principle of least privilege by granting the bigquery.dataViewer role specifically for accessing BigQuery datasets in crm-databases-proj while ensuring that the web-applications project has the required permissions. Options A and B provide excessive permissions that can lead to security risks, and option C does not grant the necessary access to the web-applications project itself.