Google Cloud Associate Cloud Engineer — Question 277

You have an application running inside a Compute Engine instance. You want to provide the application with secure access to a BigQuery dataset. You must ensure that credentials are only valid for a short period of time, and your application will only have access to the intended BigQuery dataset. You want to follow Google-recommended practices and minimize your operational costs. What should you do?

Answer options

• A. Attach a new service account to the instance every hour, and grant the service account the BigQuery Data Viewer IAM role on the project.
• B. Attach a custom service account to the instance, and grant the service account the BigQuery Data Viewer IAM role on the dataset.
• C. Attach a new service account to the instance every hour, and grant the service account the BigQuery Data Viewer IAM role on the dataset.
• D. Attach a custom service account to the instance, and grant the service account the BigQuery Data Viewer IAM role on the project.

Correct answer: B

Explanation

The correct answer is B because attaching a custom service account with the appropriate IAM role at the dataset level ensures that the application has access only to the intended dataset while adhering to the principle of least privilege. Option A and D provide broader access by assigning roles at the project level, which is not recommended. Option C involves frequently creating new service accounts, which is unnecessary and increases operational complexity.