An analytics startup runs a Dataflow pipeline in the production project analytics-prod. The pipeline executes under service account [email protected], which currently holds the primitive Editor role at the project level. A security audit flags this as excessive. The pipeline must do only two things:
Read objects already stored in Cloud Storage bucket gs://ingest-data.
Write query results into the existing BigQuery dataset marketing_prod.
To follow the principle of least privilege while keeping administration effort low, how should you update IAM permissions for the service account?
Keep the Editor role but add an organization policy that disables sensitive service APIs to mitigate risk.
Create a custom project-level role containing only storage.objects.get and bigquery.tables.updateData, then assign it to the service account.
Remove the Editor role and grant Storage Object Viewer on gs://ingest-data, BigQuery Data Editor on the marketing_prod dataset, and BigQuery Job User at the project level.
Remove the Editor role and instead grant Storage Object Viewer and BigQuery Data Owner as project-level roles.
Remove the broad Editor role. Grant the predefined Storage Object Viewer role on the specific Cloud Storage bucket so the pipeline can read input files but cannot write or manage the bucket. On the BigQuery side, grant BigQuery Data Editor on the single target dataset so the pipeline can append or update table data, and grant BigQuery Job User at the project level so it can submit query and load jobs. This combination supplies only the permissions required and scopes them to the narrowest resources, avoiding overly broad project-level data owner rights and the administrative overhead of a custom role.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What does the BigQuery Job User role allow?
Open an interactive chat with Bash
How does the Storage Object Viewer role impact bucket access?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .