Explanation:
The correct answer is A. The Cloud SQL Auth Proxy requires the service account to have the cloudsql.instances.connect permission to establish a connection. Option A follows the principle of least privilege by creating a custom role with only this permission. Additionally, specifying the instance connection name in the Proxy command is necessary for proper routing. Option B is incorrect because --unix-socket is not applicable on Windows (TCP is used instead). Options C and D grant excessive permissions (cloudsql.editor and cloudsql.viewer), violating least privilege. The roles/cloudsql.client role (from Option B) includes extra permissions like cloudsql.instances.get, making a custom role (Option A) more restrictive and compliant with least privilege.
Ultimate access to all questions.
No comments yet.
You are deploying an application on a Compute Engine instance with Windows OS and Cloud SQL, using Cloud SQL Auth Proxy for connectivity. Following Google-recommended practices and the principle of least privilege, you have created a custom service account. What is the next step?
A
Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
B
Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the --unix-socket CLI option.
C
Grant the custom service account the roles/cloudsql.editor role.
D
Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.