Google Professional Cloud Database Engineer

The question is about configuring IAM permissions for a new application that reads from an existing Cloud Spanner database to gather statistics for a dashboard. The best practice is to follow the principle of least privilege, which means granting only the permissions that are necessary for the application to perform its tasks. Option A suggests reusing an existing service account, which is not recommended because it can lead to excessive permissions and make it harder to manage access control. Option B suggests granting the Cloud Spanner Database Admin role, which is too permissive for an application that only needs to read data. Option D suggests granting a specific permission, spanner.databases.select, but it's better to use predefined roles that bundle permissions in a meaningful way. Option C is the correct choice because it involves creating a new service account and granting it the Cloud Spanner Database Reader role, which provides the necessary read permissions without excessive access.