Topic 1 Question 116
You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-databases-proj. You want to follow Google-recommended practices to give access to the service account in the web-applications project. What should you do?
Give ג€project ownerג€ for web-applications appropriate roles to crm-databases-proj.
Give ג€project ownerג€ role to crm-databases-proj and the web-applications project.
Give ג€project ownerג€ role to crm-databases-proj and bigquery.dataViewer role to web-applications.
Give bigquery.dataViewer role to crm-databases-proj and appropriate roles to web-applications.
解説
ユーザの投票
コメント(17)
D cuz u just need read for DB at the other project
👍 29ezat2020/07/07C is correct..
👍 11DarioFama232020/07/07This question is misleading. the requirements are for the web -application service account to have "access" to the BQ Datasets, but it doesn't specify what they need to do. Principal of Least Privilege would lead you to think they just need Viewer. Problem is the answers are also misleading. C gives Project Owner to the dataset project, and -appropriate- permissions to the web-application service account. It seems to indicate that it's giving project owner to the project itself, which makes no sense. D gives dataViewer to the BQ project, which doesn't make sense either because it's the web-application service account that needs access to BQ.
I think this is a poorly worded question and poorly worded answers personally.
👍 5fragment1372022/12/01
シャッフルモード