Google Cloud Professional Cloud Developer — Question 304

You are about to deploy an application hosted on a Compute Engine instance with Windows OS and Cloud SQL. You plan to use the Cloud SQL Auth Proxy for connectivity to the Cloud SQL instance. You plan to follow Google-recommended practices and the principle of least privilege. You have already created a custom service account. What should you do next?

Answer options

• A. Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
• B. Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the --unix-socket CLI option.
• C. Grant the custom service account the roles/cloudsql.editor role.
• D. Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.

Correct answer: A

Explanation

The correct answer is A because creating a custom role with the cloudsql.instances.connect permission ensures that the service account has the minimum necessary privilege to connect to the Cloud SQL instance. Option B grants a broader role than needed, while C and D provide insufficient permissions to establish a connection to Cloud SQL, which violates the principle of least privilege.