GCP Professional Data Engineer Practice Question

Your organization runs Apache Beam pipelines on Cloud Dataflow in both a development project and a production project. Engineers currently launch jobs from their workstations with the same default Compute Engine service account, which has the BigQuery Admin role on both projects. After an incident in which a development job overwrote a production BigQuery table, you must redesign access so that:

Developers can still deploy and test pipelines in the development project without opening a support ticket.
Production pipelines are started only by Cloud Build triggers and must never reach development resources.
Human identities must not have broad BigQuery Admin rights in production.

Which change best meets these requirements while applying a stricter, least-privilege model in production?

Apply an organization policy that blocks Dataflow job submission from developer workstations so all jobs go through the existing default service account, which retains BigQuery Admin on both projects.
Keep the single default service account but replace its BigQuery Admin role with BigQuery DataEditor in both projects and rely on dataset-level ACLs in production to restrict writes.
Enable uniform bucket-level access on the production Cloud Storage staging bucket and add IAM Conditions to deny writes from non-production VPC networks while keeping the current service account roles unchanged.
Create separate user-managed service accounts: one dedicated to development and one to production. Grant the development account BigQuery Admin only on the development project, grant the production account BigQuery DataEditor on the required production datasets, remove its access to development, and configure all Cloud Build and Dataflow jobs to run with the correct account via the serviceAccount setting.

Report Issue

Answer Description

Creating separate, user-managed service accounts for each environment lets you grant the exact permissions each environment needs and prevents cross-environment access. Granting the development service account BigQuery Admin on only the development project preserves developer agility, while giving the production account the narrower BigQuery DataEditor role on specific production datasets limits the blast radius and removes the need for human BigQuery Admin privileges in production. Using the --serviceAccount (or corresponding) setting in Cloud Build and Dataflow ensures that the correct account is used at job submission time. The other options either keep a single account with broad privileges, rely only on storage-level controls that do not stop BigQuery writes, or block local submissions without addressing excessive permissions, so they fail to meet all stated goals.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.