GCP Professional Cloud Security Engineer Practice Question
A retailer's nightly Beam pipeline launches from a Cloud Composer environment and runs as a dedicated service account on Dataflow workers. The workers must read CSV files from an input bucket, load the transformed records into an existing BigQuery dataset, and write job logs to Cloud Logging. The service account currently holds the Editor role on both involved projects, which violates least-privilege policy. Which replacement IAM grant set meets the functional needs while eliminating overly permissive roles?
Replace Editor with roles/owner on the Dataflow project to cover all required permissions and future growth.
Assign roles/storage.admin and roles/bigquery.admin at the project level so the pipeline can manage all storage and BigQuery resources without further changes.
Give the service account roles/dataflow.admin on the project, roles/storage.legacyBucketReader on the bucket, and roles/bigquery.user on the project.
Grant roles/dataflow.worker on the Dataflow project, roles/storage.objectViewer on the input bucket, roles/bigquery.dataEditor on the target dataset, and roles/logging.logWriter on the project.
Granting Dataflow Worker on the project lets the service account start and manage Dataflow jobs. Granting Storage Object Viewer on only the input bucket is sufficient for reading objects without allowing writes or bucket administration. Granting BigQuery Data Editor on the specific dataset lets the pipeline create and append tables but not administer the entire project. Granting Logging Log Writer on the project allows log export without additional privileges. The other options continue to use broad Owner, Editor, Admin, or Dataflow Admin roles, all of which provide permissions far beyond what the pipeline requires.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the least-privilege policy, and why is it important in IAM roles?
Open an interactive chat with Bash
What does the roles/dataflow.worker IAM role allow in Dataflow?
Open an interactive chat with Bash
What is the roles/storage.objectViewer IAM role used for in this pipeline?
Open an interactive chat with Bash
What is the role of Dataflow Worker in GCP IAM?
Open an interactive chat with Bash
Why use Storage Object Viewer instead of Storage Admin?
Open an interactive chat with Bash
How does BigQuery Data Editor align with least-privilege principles?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .