A Kubernetes workload running in Google Kubernetes Engine transforms data and writes the results into a single BigQuery dataset named analytics.raw. The workload's service account must be able to
create new tables or append rows only inside analytics.raw, and
launch its own load and query jobs. It must not be able to read or modify any other datasets, delete tables, or change project-level settings.
Which IAM assignment best follows the principle of least privilege?
Grant the service account roles/bigquery.dataEditor on the entire analytics project.
Grant the service account roles/bigquery.dataOwner on the analytics.raw dataset and roles/bigquery.admin on the project.
Grant the service account the primitive roles/editor role on the project.
Grant the service account roles/bigquery.jobUser at the project level and roles/bigquery.dataEditor on the analytics.raw dataset.
Running load or query jobs in BigQuery requires the permission bigquery.jobs.create, which is included in the predefined role roles/bigquery.jobUser. That permission can only be granted at the project level. Creating tables or inserting/ updating row data inside a single dataset requires bigquery.tables.create and bigquery.tables.updateData, both of which are included in the predefined role roles/bigquery.dataEditor. Granting roles/bigquery.dataEditor only on the analytics.raw dataset confines these data-manipulation abilities to that dataset. Granting roles/bigquery.jobUser at the project level plus roles/bigquery.dataEditor on analytics.raw therefore supplies exactly the required capabilities-no access to other datasets and no broader project-wide privileges-aligning with the principle of least privilege. Other listed options grant permissions that are either too broad (project-wide data editor, data owner, admin, or primitive Editor) or include unnecessary administrative rights.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What is the difference between roles/bigquery.jobUser and roles/bigquery.dataEditor?
Open an interactive chat with Bash
Why can’t roles/bigquery.jobs.create be granted at a dataset level?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
Why is the `roles/bigquery.jobUser` role required at the project level?
Open an interactive chat with Bash
What is the difference between `roles/bigquery.dataEditor` and `roles/bigquery.dataOwner`?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .