An e-commerce company has a batch Dataflow pipeline that runs in the analytics-etl project and writes its results to an existing BigQuery dataset named prod_sales located in the separate prod-data project. To save time, an engineer previously granted the pipeline's controller service account the primitive Editor role on the prod-data project, but an internal audit now requires that you enforce the principle of least privilege. The pipeline must continue to create load jobs and append data to tables inside the prod_sales dataset. Which IAM redesign satisfies the requirement while removing unnecessary permissions?
Create a custom role containing only the bigquery.datasets.delete permission and assign it to the service account at the project level.
Grant the pipeline's service account the BigQuery User role on the prod-data project, relying on default table-level permissions for writes.
Grant the pipeline's service account the BigQuery Data Editor role on the prod_sales dataset and the BigQuery Job User role on the prod-data project.
Replace the Editor role with the BigQuery Admin role on the prod-data project so the pipeline retains full BigQuery privileges without broader project access.
Granting the service account the predefined BigQuery Data Editor role on the specific prod_sales dataset lets it create, update, and append to tables inside that dataset but nowhere else. Adding the BigQuery Job User role at the prod-data project level allows the service account to launch the load jobs that the Dataflow runner submits to BigQuery. Together these two limited, predefined roles provide exactly the permissions the pipeline needs. Granting BigQuery Admin or the primitive Editor role would violate least-privilege because they include dataset-level delete permissions and broad project-wide capabilities. BigQuery User does not permit writing to existing tables, and a custom role that includes bigquery.datasets.delete is both broader than required and in the wrong scope for the task.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What is the BigQuery Data Editor role?
Open an interactive chat with Bash
Why does the pipeline need the BigQuery Job User role?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What does the BigQuery Data Editor role allow?
Open an interactive chat with Bash
Why is the BigQuery Job User role necessary?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .