You created a Stackdriver chart for CPU utilization in a dashboard within your workspace project. You want to share the chart with your Site Reliability Engineering
(SRE) team only. You want to ensure you follow the principle of least privilege. What should you do?
To grant the Site Reliability Engineering (SRE) team the least privilege necessary to view the specific Stackdriver chart for CPU utilization, you should use the 'Share chart by URL' feature and provide the URL to the SRE team. Additionally, assigning the SRE team the Monitoring Viewer IAM role in the workspace project will give them read-only access to the chart's data without granting them unnecessary permissions. This ensures they can view the chart without making configurations or accessing other data unrelated to their role.
I think it's C, because dashboard viewer "Read-only access to dashboard configurations." SRE team wants to view data, not configurations.
correct there is no such role - "dashboard viewer" the correct name is monitoring dashboard configuration viewer (and the permission is - Read-only access to dashboard configurations). so correct answer should be - C
but it gives access to all list in monitoring of the project.
C is correct
There is, but only the single role won't give sufficient access. https://cloud.google.com/monitoring/access-control?hl=de#monitoring.dashboardViewer
I did a test and see that: The valid roles are: Monitoring Viewer and Monitoring Dashboard Configuration Viewer. You can only share chart by URL using Metrics explorer. With only Monitoring Dashboard Configuration Viewer role, user cannot see anything in Monitoring page. I create a custom role from Monitoring Dashboard Configuration Viewer role and add resourcemanager.projects.get permission. Now user can see list of custom dashboards and the charts in these custom dashboards. User cannot see standard GCP dashboards. User cannot see the the chart in Metrics explorer (using the shared URL). Opening the URL, user will see errors: "Invalid resource type" and "Invalid metric type". So even if I ignore the typo of Dashboard Viewer role in B and D, they are still incorrect answers. So only A and C are valid. But I think C is better because the question is: "You want to share the chart" not the whole dashboard.
I agree with you, I am okay with C.
I have verified this, both A and C do the same thing except C gives you comfort to see the chart directly using the link without having to browse through all the way to the chart.
i think it is A, i assume add chart into custom/default dashboard is best practice for creating chart and share URL would more like one time trade. Metrics Explorer lets you create a chart that you can use to explore a metric. However, the charts created by this tool aren't persistent. When you navigate away from the Metrics Explorer page, the chart is discarded. To save a chart you've configured with Metrics Explorer for future reference, add the chart to a custom dashboard or save the chart's URL: To keep a reference to the chart configuration, save the chart URL. Because the chart URL encodes the chart configuration, when you paste this URL into a browser the chart you configured is displayed.
and this is not " share chart by URL " option, it is " share by URL"
I think is A, because there isn't any button "Share chart by URL", and least role is Monitoring Viewer (Dashboard viewer can see only dashboard configurations)
Ans: C Exam take on 19/12/2022, 50/50 from this dump without buying the full access.
Option A grants the SRE team more access than necessary. The Monitoring Viewer role allows them to view all monitoring data in the project, not just the chart you want to share. Option B is a good option, but it is not as secure as option D. The Dashboard Viewer role allows the SRE team to view all dashboards in the project, not just the chart you want to share. Option C is not secure. Anyone who has the URL can view the chart, even if they are not a member of the SRE team. Option D is the most secure option. It allows the SRE team to view the chart without giving them access to any other data in the project. Here are the steps on how to share the chart with the SRE team:
Open the Stackdriver dashboard that contains the chart you want to share. Click the Share button in the top right corner of the dashboard. Click Share chart by URL . Copy the URL and share it with the SRE team. In the IAM & Admin section of the Google Cloud Console, navigate to the workspace project. Click on IAM & Admin > IAM . Click Add . In the New members field, enter the email address of the SRE team. In the Select a role dropdown, select Dashboard Viewer . Click Save . The SRE team will now be able to view the chart by clicking on the URL you shared with them. They will not have access to any other data in the project.
Additional Considerations It is important to note that the principle of least privilege is not just about security. It is also about efficiency. By giving users only the access they need, you can reduce the risk of errors and make it easier to manage your resources. Here are some additional tips for following the principle of least privilege: Review your IAM roles regularly. Make sure that users only have the access they need. Use groups to manage access. This can make it easier to grant and revoke access to multiple users at once. Use temporary access when possible. This can help to reduce the risk of unauthorized access. By following these tips, you can help to ensure that your Google Cloud resources are secure and efficient.
C is the answer. https://cloud.google.com/monitoring/access-control#mon_roles_desc roles/monitoring.viewer - Monitoring Viewer Grants read-only access to Monitoring in the Google Cloud console and API.
C There are a number of IAM security roles related to monitoring. The big three are viewer, editor, and admin. To create the monitoring Workspace initially, a user will need the Monitoring Editor or Admin role in the Workspace's host project. The Monitoring Viewer can get read-only access to the Monitoring console and API. The Monitoring Editor has read-write access to the Monitoring console and APIs and can write monitoring data and configurations into the Workspace. And the Monitoring Admin has full access to, and control over, all monitoring resources. Past these big three roles, monitoring roles exist to provide and limit access to alert policies, dashboards, notification channels, service monitoring, and uptime checks.
Decided to go for A on the exam because there is no "Share chart by URL" button, it's just "Share by URL".
But "Share by URL" is in chart? I remember it's only logging explorer
The best option in this case would be C. Click "Share chart by URL" and provide the URL to the SRE team. Assign the SRE team the Monitoring Viewer IAM role in the workspace project. This option allows you to share the specific chart with the SRE team only, granting them read-only access to the chart's data, this way the team can view the CPU utilization chart and troubleshoot any performance issues related to the chart. You can use the feature of "Share chart by URL" to share the specific chart with the SRE team only, and provide a secure URL that can only be access by members of the team. And also giving them the "Monitoring Viewer" role, will give them just enough privilege to see the chart and its data but not the ability to make changes to the project, dashboard or other charts.
https://cloud.google.com/monitoring/charts/share-dashboards
It is the right answer
The answer is C because : Dashboard viewer role not exists , monitor-viewer only https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer and Cloud Monitoring allows you to share the URL of the individual Dashboard and not of the entire project ID
There is no such role as "Dashboard Viewer"
My vote is C
D) Dashboard viewer follows the principle of least privileges.