Google Cloud Professional Cloud Database Engineer — Question 102

You are configuring a new application that has access to an existing Cloud Spanner database. The new application reads from this database to gather statistics for a dashboard. You want to follow Google-recommended practices when granting Identity and Access Management (IAM) permissions. What should you do?

Answer options

• A. Reuse the existing service account that populates this database.
• B. Create a new service account, and grant it the Cloud Spanner Database Admin role.
• C. Create a new service account, and grant it the Cloud Spanner Database Reader role.
• D. Create a new service account, and grant it the spanner.databases.select permission.

Correct answer: C

Explanation

The correct answer is C because granting the Cloud Spanner Database Reader role allows the new application to read data from the database without unnecessary permissions. Option A is incorrect as reusing the existing service account may provide more access than needed, while B and D give excessive permissions that are not appropriate for just reading data.