Answer-first summary for fast verification
Answer: Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
The correct answer is A. The Cloud SQL Auth Proxy requires the service account to have the `cloudsql.instances.connect` permission to establish a connection. Option A follows the principle of least privilege by creating a custom role with only this permission. Additionally, specifying the instance connection name in the Proxy command is necessary for proper routing. Option B is incorrect because `--unix-socket` is not applicable on Windows (TCP is used instead). Options C and D grant excessive permissions (`cloudsql.editor` and `cloudsql.viewer`), violating least privilege. The `roles/cloudsql.client` role (from Option B) includes extra permissions like `cloudsql.instances.get`, making a custom role (Option A) more restrictive and compliant with least privilege.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are deploying an application on a Compute Engine instance with Windows OS and Cloud SQL, using Cloud SQL Auth Proxy for connectivity. Following Google-recommended practices and the principle of least privilege, you have created a custom service account. What is the next step?
A
Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
B
Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the --unix-socket CLI option.
C
Grant the custom service account the roles/cloudsql.editor role.
D
Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
No comments yet.