Google Cloud Associate Cloud Engineer — Question 237

You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in the crm-databases project. You want to follow Google-recommended practices to grant access to the service account in the web-applications project. What should you do?

Answer options

• A. Grant "project owner" for web-applications appropriate roles to crm-databases.
• B. Grant "project owner" role to crm-databases and the web-applications project.
• C. Grant "project owner" role to crm-databases and roles/bigquery.dataViewer role to web-applications.
• D. Grant roles/bigquery.dataViewer role to crm-databases and appropriate roles to web-applications.

Correct answer: D

Explanation

The correct answer is D because assigning roles/bigquery.dataViewer to crm-databases allows the web-applications project to access the necessary BigQuery datasets without giving full ownership rights, which aligns with the principle of least privilege. The other options incorrectly provide excessive permissions, such as 'project owner', which could expose the resources to unnecessary risk and violate best practices.