Your security team requires that an external data ingestion service have only the minimum permissions needed to load CSV files into an existing BigQuery table called sales_raw.daily_import that already exists in project retail-prod. The service must be able to append new rows with the bq load command every night, but it must never be able to read table data, overwrite or delete the table, or access other datasets in the project. What is the most appropriate way to satisfy the requirement while following the principle of least privilege?
Grant the predefined role BigQuery Data Editor (roles/bigquery.dataEditor) on the sales_raw dataset to the service account.
Create a custom IAM role containing only bigquery.tables.get and bigquery.tables.updateData, and bind that role to the service account on the sales_raw.daily_import table.
Assign the service account the predefined role BigQuery Job User (roles/bigquery.jobUser) on the project, which is sufficient for running bq load without additional permissions.
Grant the primitive role Storage Object Creator on the project, because BigQuery load jobs read from Cloud Storage and write data implicitly.
To append data to an existing BigQuery table with the bq load command, the service account needs exactly two permissions on that table: bigquery.tables.get (so that the load job can validate the schema of the destination table) and bigquery.tables.updateData (which allows inserting or appending rows with load or query jobs). Granting broader predefined roles such as BigQuery Data Editor (which also confers read access via bigquery.tables.getData and destructive privileges such as bigquery.tables.delete) would violate least-privilege requirements. Creating a custom IAM role containing only the necessary permissions and binding it at the table level ensures the service account can append data while preventing reads, deletes, or access to other datasets.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM roles?
Open an interactive chat with Bash
Why can't the predefined `roles/bigquery.dataEditor` be used for this case?
Open an interactive chat with Bash
What permissions are necessary for using the `bq load` command to append data to a BigQuery table?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .