Your fintech firm runs a Dataflow streaming job that writes payment events into the BigQuery dataset finance.raw_txn inside project p-pay. Compliance requires:
The pipeline's service account SA_INGEST must be able to create tables and append rows in finance.raw_txn but must never read data from it.
Members of the group [email protected] must be able to query data in the same dataset but must not change or delete any tables or rows.
Which IAM configuration best enforces the principle of least privilege while meeting both requirements?
Grant SA_INGEST the predefined role roles/bigquery.user at the project level and roles/bigquery.jobUser on the dataset. Grant [email protected] the same roles/bigquery.jobUser role on the dataset.
Create a custom role containing only bigquery.tables.create, bigquery.tables.updateData, and bigquery.jobs.create; grant it to SA_INGEST on finance.raw_txn. Grant [email protected] the predefined role roles/bigquery.dataViewer on that dataset and ensure no broader roles are inherited.
Grant SA_INGEST the predefined role roles/bigquery.dataEditor on finance.raw_txn, and grant [email protected] the predefined role roles/bigquery.dataViewer on the same dataset.
Grant SA_INGEST the predefined role roles/bigquery.admin on finance.raw_txn, and grant [email protected] the predefined role roles/bigquery.readSessionUser at the project level.
The Dataflow service account needs only the ability to load or stream data, not to read it. No predefined role offers write-only permissions; roles such as roles/bigquery.dataEditor or project-level primitive roles implicitly include read capabilities (e.g., bigquery.tables.getData). Creating a custom role limited to bigquery.tables.create, bigquery.tables.updateData, and bigquery.jobs.create (required for load/streaming jobs) gives SA_INGEST exactly the minimum permissions to write without read access. Assigning that custom role at the dataset level avoids broader scope. Analysts merely need to run queries, which the predefined roles/bigquery.dataViewer on the dataset already grants; it allows reading table data but not inserting, updating, or deleting it. Removing any inherited primitive roles ensures no broader permissions exist. Therefore, the custom write-only role plus the predefined Data Viewer role is the correct least-privilege solution; the other options either grant excessive permissions or fail to provide the required capabilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is a custom role recommended for SA_INGEST instead of predefined roles?
Open an interactive chat with Bash
What are the differences between `roles/bigquery.dataViewer` and `roles/bigquery.admin`?
Open an interactive chat with Bash
Why should inherited primitive roles be removed?
Open an interactive chat with Bash
What is an IAM role in GCP?
Open an interactive chat with Bash
Why create a custom IAM role instead of using predefined roles?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .