Topic 1 Question 310
You are about to deploy an application hosted on a Compute Engine instance with Windows OS and Cloud SQL. You plan to use the Cloud SQL Auth Proxy for connectivity to the Cloud SQL instance. You plan to follow Google-recommended practices and the principle of least privilege. You have already created a custom service account. What should you do next?
Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the --unix-socket CLI option.
Grant the custom service account the roles/cloudsql.editor role.
Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: A
Option B recommends using the role "cloudsql.client". This role only has the following two permissions:
- cloudsql.instances.connect
- cloudsql.instances.get
This is great when following the pricinple of least privilege. However, according to the documentation: "The Cloud SQL Auth Proxy currently does not support Unix sockets on Windows, so this option is only available for Linux and macOS platforms".
Option C gives the editor role which is too broad and not neccessary.
Option D gives viewer role. This looks good at first thought, but it's missing the cloudsql.instances.connect permission that Cloud SQL Auth Proxy requires for connectivity.
As such the only answer that fits is A.
👍 6SahandJ2024/10/20 - 正解だと思う選択肢: B
B
👍 1anshad6662024/10/11
シャッフルモード