GCP Professional Cloud Architect Practice Question
A fintech company must allow a group of external contractors to run read-only queries against tables in the prod_finance BigQuery dataset for a two-week audit. Queries are permitted only when the request originates from the company's on-premises public subnet 198.51.100.0/24, and access must automatically expire at 23:59 UTC on 15 June 2025. The solution should follow the principle of least privilege and avoid granting broader project-level permissions. How should you configure access?
Grant a custom IAM role containing only bigquery.jobs.create on the prod_finance dataset with an IAM condition that evaluates request.ip and request.time.
Grant the contractors the BigQuery User role on the entire project and rely on VPC Service Controls to restrict access to 198.51.100.0/24.
Expose BigQuery through Identity-Aware Proxy (IAP), configure an access level for the 198.51.100.0/24 subnet, and grant the contractors BigQuery User on the project for the duration of the audit.
Grant the contractors the BigQuery Data Viewer role on the prod_finance dataset with an IAM condition that allows access only until timestamp("2025-06-15T23:59:59Z"). Create a VPC Service Controls perimeter for the project and add an ingress rule permitting access exclusively from 198.51.100.0/24.
The least-privilege approach is to grant the contractors the predefined BigQuery Data Viewer role only on the specific dataset, guarded by an IAM condition that limits the permission to the required two-week period. Because IAM conditions cannot evaluate the caller's source IP, you must also place the hosting project in a VPC Service Controls perimeter and add an ingress rule that allows requests solely from the company's on-premises subnet. This combination enforces both the time-bound requirement (via IAM) and the network-location requirement (via VPC Service Controls). The other options either lack time-bound enforcement, cannot restrict by IP at the dataset level, or grant broader permissions than necessary.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in cloud access control?
Open an interactive chat with Bash
What is IAM and how do IAM conditions work in GCP?
Open an interactive chat with Bash
How does VPC Service Controls enhance security in GCP?
Open an interactive chat with Bash
What is the BigQuery Data Viewer role and why is it used here?
Open an interactive chat with Bash
What are IAM conditions and how do they work?
Open an interactive chat with Bash
What are VPC Service Controls and how do they enhance security?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .