Topic 1 Question 64
You are configuring a new application that has access to an existing Cloud Spanner database. The new application reads from this database to gather statistics for a dashboard. You want to follow Google-recommended practices when granting Identity and Access Management (IAM) permissions. What should you do?
Reuse the existing service account that populates this database.
Create a new service account, and grant it the Cloud Spanner Database Admin role.
Create a new service account, and grant it the Cloud Spanner Database Reader role.
Create a new service account, and grant it the spanner.databases.select permission.
ユーザの投票
コメント(5)
- 正解だと思う選択肢: C
spanner.database.select is not enough, you also need a spanner.database.read which is included in Cloud Spanner Database Reader role
👍 5chelbsik2022/12/25 - 正解だと思う選択肢: B
Google Recommended practice is to assign roles but not permissions directly. SO, C
👍 2Tharun11254382023/01/21 C. A new application should have its own service account. Eliminate A. The Admin role is too broad. Eliminate B. D grants an individual permission not a role. Granting permissions in IAM is done via a role. From Google’s documentation: “In IAM, permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated principals.” https://cloud.google.com/iam/docs/overview
👍 2dynamic_dba2023/03/13
シャッフルモード