You built an application on Google Cloud that uses Cloud Spanner. Your support team needs to monitor the environment but should not have access to table data.
You need a streamlined solution to grant the correct permissions to your support team, and you want to follow Google-recommended practices. What should you do?
The roles/monitoring.viewer role grants read-only access to monitoring data without giving access to the table data. This is the correct role for monitoring the environment while following Google-recommended practices to ensure the support team does not have access to sensitive table data.
its A, As you need to monitor only
A, right, correct answer. B and C are incorrect because allow to read data. D also incorrect: Not for monitoring. roles/stackdriver.accounts.viewer Stackdriver Accounts Viewer: Read-only access to get and list information about Stackdriver account structure (resourcemanager.projects.get, resourcemanager.projects.list and stackdriver.projects.get)
https://cloud.google.com/iam/docs/understanding-roles
A is correct as user should not have any access to data, so B and C cant be used in this scenario.
This was there in exam, go with community answers.
Answer A, adding the support team group to the roles/monitoring.viewer role, is the CORRECT answer. This role grants read-only access to monitoring data for all resources in a project, which allows the support team to monitor the environment but not access the table data. Answer B, adding the support team group to the roles/spanner.databaseUser role, grants read and write access to all tables in the specified database, which is NOT required for the support team to monitor the environment. Answer C, adding the support team group to the roles/spanner.databaseReader role, grants read-only access to all tables in the specified database, which would give the support team access to the table data. Answer D, adding the support team group to the roles/stackdriver.accounts.viewer role, grants permissions to view Stackdriver data for all resources in a project, which is NOT directly related to monitoring the Cloud Spanner environment.
had this question today
A is correct
A. This is the only role that provides read-only access to get and list information about all monitoring data and configurations.
A. Add the support team group to the roles/monitoring.viewer role
Go for A
You only need to monitor so A is correct!
roles/monitoring.viewer Monitoring Viewer Grants read-only access to Monitoring in the Google Cloud console and API.
B is wrong because it grants write access also we only need monitoring access.
A is correct, the team need to monitor the environment not read the data.
A is correct
the goal of support team is to MONITOR the environment only. therefore roles/monitoring.viewer role is the best option we have https://cloud.google.com/spanner/docs/iam#roles
A as you only need the monitor access
Makes sense for me
Its D. Stackdriver roles in GCP (Google Cloud Platform) are predefined sets of permissions that control access to monitoring and logging data within Stackdriver, a suite of tools for monitoring and logging applications and infrastructure in GCP. These roles determine what users or groups can see and do within Stackdriver. They allow you to grant granular access levels, ensuring users have the necessary permissions to perform their tasks without exposing sensitive data or granting unnecessary control.