Explanation:
The question is about configuring IAM permissions for a new application that reads from an existing Cloud Spanner database to gather statistics for a dashboard. The best practice is to follow the principle of least privilege, which means granting only the permissions that are necessary for the application to perform its tasks. Option A suggests reusing an existing service account, which is not recommended because it can lead to excessive permissions and make it harder to manage access control. Option B suggests granting the Cloud Spanner Database Admin role, which is too permissive for an application that only needs to read data. Option D suggests granting a specific permission, spanner.databases.select, but it's better to use predefined roles that bundle permissions in a meaningful way. Option C is the correct choice because it involves creating a new service account and granting it the Cloud Spanner Database Reader role, which provides the necessary read permissions without excessive access.
Ultimate access to all questions.
How should you assign Identity and Access Management (IAM) permissions to a new application that reads from an existing Cloud Spanner database for dashboard statistics, following Google's best practices?
A
Reuse the existing service account that populates this database.
B
Create a new service account, and grant it the Cloud Spanner Database Admin role.
C
Create a new service account, and grant it the Cloud Spanner Database Reader role.
D
Create a new service account, and grant it the spanner.databases.select permission.
No comments yet.