You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-databases-proj. You want to follow Google-recommended practices to give access to the service account in the web-applications project. What should you do?
To follow Google-recommended practices, it is essential to adhere to the principle of least privilege, which means granting only the minimum permissions necessary. In this scenario, virtual machines in the web-applications project need access to BigQuery datasets in crm-databases-proj. The most appropriate approach would be to grant the bigquery.dataViewer role to the service account that the applications in web-applications project are using. This allows the VMs in the web-applications project to read the datasets in crm-databases-proj without over-privileging any accounts or projects. Therefore, the correct approach is to give the bigquery.dataViewer role to the web-applications project and ensure the necessary permissions are properly assigned to any service accounts in that project.
D cuz u just need read for DB at the other project
U re right, D is the correct answee
Question didn't specify if the required access is Read only or more, its saying "access" which could be write permissions as well. I will go with C
U r right, it D. why to give "project owner" as stated on C. correct answer is D
but why giving bigquery.dataViewer to crm-databases-proj. we should give for web-application.
You can technically give bigquery.dataviewer to crm-databases-proj service account then create a Key and use that key on the VMs, there for making it correct to use D as answer but is way to dumb I would prefer C BUUUUUUT WHY would I give Project Owner to crm-databases-proj? they really do not evaluate your knowladge
It is D because you're right, the question doesn't specify any specific kind of access, however, we need to follow the principle of least-privilege. Hence, we can only assume that read-only access is needed. bigquery.dataViewer should be assigned to the group of analysts in the crm-databases-proj project. https://cloud.google.com/bigquery/docs/access-control-examples#read_access_to_data_in_a_different_project
See the option correctly, as the web app needs access to the big query datasets we have to give access to the web app the data viewer role to only read the datasets! Hence, C
C is correct..
But why giving project owner role to crm-databases-proj ?
THAT SO DUM
I meet BigQuery the first time ever personly
I dont get the question. It says "web-applications project need access to BigQuery datasets in crm-databases-proj" And all you folks stating C or D is the correct one. Why would we want to give those permissions to the DB? When the question clearly states that the web-app is the one that needs access to the DB?
I believe that the correct answer is option D. Although the web application requires the bigquery.dataViewer role, the option D mentions "appropriate roles to web applications" and the appropriate role in this case is indeed bigquery.dataViewer. It is not recommended to give the project owner role to crm-databases-proj as it grants too many permissions. Google's best practice is to minimize the number of permissions granted, so option D aligns with this principle.
It says 'web-applications project need access to BigQuery datasets in crm-databases-proj'. Therefore, give web-applications the BigQuery Data Viewer role - not the other way around. Why would crm-databases-proj need this role in this situation?
None of the options is correct. As for D: This option is unclear and potentially misleading. The bigquery.dataViewer role should be assigned specifically to the service account in the web-applications project, not to the crm-databases-proj project.
The ideal approach (not listed in the options) would be: Create a service account in the web-applications project specifically for accessing the BigQuery datasets. Grant this service account the bigquery.dataViewer role (or another more specific role if different access is needed) on the crm-databases-proj project's BigQuery datasets. Use this service account in your VMs in the web-applications project.
Corrct Answer is D. Lets just read the options D this way, then it makes sense Give service account the bigquery.dataViewer role to crm-databases-proj and service account the appropriate roles to web-applications.
Damn! All the four options are correct :-D for the question given :-)
why we should grant 'project owner' role? we only need to give access for BigQuery i choose Answer D
C is correct..
Correct answer is D As basic roles (including Owner) should not be used in production environment:
Thanks guys for making that clear for me. Now simply guys, among all the answers, D is giving to the web-application proj the appropriate role, while giving the crm-databases-proj the least privilege role.
D is the correct answer, because all other option giveing access to project owner
The correct answer is C
A, b & c is wrong. Keywords is configuring aervice account. A,b & c concerns user account. Correct answer is D
Project owner role is not required here, so that leaves us with only Option D
Let's analyze the options: A & B: Granting "project owner" gives excessive permissions, violating the least privilege principle. C: Granting "project owner" to crm-databases-proj is unnecessary. D: Granting "bigquery.dataViewer" to crm-databases-proj allows the VM access to datasets and aligns with least privilege. Granting appropriate roles to web-applications secures the web application itself (not shown in this scenario). Therefore, option D is the recommended approach.