Your company is developing an application that will interact with Cloud Spanner. The application needs the capability to both view and edit tables within Cloud Spanner. Adhering to the principle of least privilege, which role is most appropriate to assign to the team members?

Real Exam

Explanation:

The correct answer is D because roles/spanner.databaseUser is specifically designed for machine roles, granting the necessary permissions to read from and write to a database. This role is ideal as it allows executing SQL queries (including DML and Partitioned DML), and viewing or updating the database schema, without granting excessive privileges. It's recommended to assign this role at the database level for precise access control.

Option A (roles/spanner.databaseReader) is incorrect as it only provides read permissions, which are insufficient for the application's needs.
Option B (roles/spanner.databaseAdmin) is incorrect because it grants broader administrative privileges than necessary, violating the principle of least privilege.
Option C (roles/spanner.viewer) is incorrect as it's a person role that offers more privileges than required and is not suitable for machine roles.

For more details, refer to the GCP documentation on Spanner IAM Roles.

Powered ByGPT-5

Google Associate Cloud Engineer

Get started today

Google Associate Cloud Engineer

Get started today

Your company is developing an application that will interact with Cloud Spanner. The application needs the capability to both view and edit tables within Cloud Spanner. Adhering to the principle of least privilege, which role is most appropriate to assign to the team members?