Your company runs a nightly Apache Beam pipeline on Cloud Dataflow. The pipeline, triggered by Cloud Scheduler, reads compressed files from the Cloud Storage bucket "raw-logs", transforms the data, and appends the results to tables in the BigQuery dataset "analytics". The pipeline executes under the service account pipeline-sa@project. A new security policy requires replacing the project-level Editor role currently assigned to this account with a least-privilege alternative while keeping the job fully functional. Which IAM configuration meets the requirement?
Create a custom project-level role containing bigquery.tables.update, storage.objects.get, and dataflow.jobs.create, and bind it to pipeline-sa.
Grant roles/dataflow.worker on the project and additionally grant roles/bigquery.dataEditor on the "analytics" dataset and roles/storage.objectViewer on the "raw-logs" bucket to pipeline-sa.
Replace the Editor role with the primitive Viewer role at the project level and grant no further permissions.
Grant roles/bigquery.admin and roles/storage.admin on the project to pipeline-sa; no Dataflow role is needed because it already owns the project.
The service account needs three distinct capabilities: (1) launch and operate Dataflow workers, (2) read objects in the source Cloud Storage bucket, and (3) write data into the specific BigQuery dataset. Granting roles/dataflow.worker at the project level supplies the permissions required for Dataflow job execution and worker management without broad administrative access. Adding roles/storage.objectViewer on the single "raw-logs" bucket limits Cloud Storage access to read-only for just that bucket. Finally, granting roles/bigquery.dataEditor on the "analytics" dataset allows table appends and modifications within that dataset only. This combination follows the principle of least privilege. The other options either use overly broad primitive or admin roles, grant permissions at an unnecessarily wide scope, or omit required permissions, so they do not satisfy the policy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does roles/dataflow.worker allow a service account to do?
Open an interactive chat with Bash
Why is roles/storage.objectViewer specific to the 'raw-logs' bucket?
Open an interactive chat with Bash
What actions does roles/bigquery.dataEditor allow within a dataset?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .