Google Associate Cloud Engineer
Get started today
Ultimate access to all questions.
Your company is developing an application that will interact with Cloud Spanner. The application needs the capability to both view and edit tables within Cloud Spanner. Adhering to the principle of least privilege, which role is most appropriate to assign to the team members?
Your company is developing an application that will interact with Cloud Spanner. The application needs the capability to both view and edit tables within Cloud Spanner. Adhering to the principle of least privilege, which role is most appropriate to assign to the team members?
Real Exam
Explanation:
The correct answer is B because roles/spanner.databaseUser is specifically designed for machine accounts, granting them the ability to read from and write to the database. This role is recommended to be granted at the database level. A principal with this role can perform the following actions:
- Read from and write to the Cloud Spanner database.
- Execute SQL queries on the database, including DML and Partitioned DML.
- View and update the schema for the database.
For more details, refer to the GCP documentation on Spanner IAM Roles.
Why not the others?
- A (
roles/spanner.databaseAdmin) provides more privileges than necessary, including administrative capabilities. - C (
roles/spanner.viewer) is a person role and does not provide the necessary write permissions. - D (
roles/spanner.databaseReader) only grants read permissions, which is insufficient for the application's requirements.