Q: 3
Your organization needs to allow a production job to have access to a BigQuery dataset. The
production job is running on a Compute Engine instance that is part of an instance group.
What should be included in the IAM Policy on the BigQuery dataset?
Options
Discussion
C . The service account is the identity BigQuery checks, not the VM or group. Official practice tests and docs point out this exact thing, so I'd check those again if in doubt.
C
C . The Compute Engine service account is what BigQuery checks for permissions when the job accesses data. Seen similar stuff on practice tests and that's always the way for least privilege. Project or instance group is too broad here, and D won't cover all cases in a group. Disagree?
C tbh, not D. The instance group is a trap, only the service account actually gets used as the identity for access.
C, not totally sure but service account feels right since it's what BigQuery checks on API requests from Compute Engine.
My vote is it's C here. Service account is what actually gets the permissions, not the instance or group. Agree?
I don’t think it’s B or D. The real key is the service account, since that’s what actually does the API call to BigQuery when the job runs. Attaching IAM to the project or instance group would be too broad and not follow least privilege. Bit of a common trap, but C is right from what I know. If someone disagrees, curious to hear their reasoning!
C , since the service account is what BigQuery sees when the job runs. Not the project or instance itself. Pretty sure that's the recommended way for least privilege.
B or D? I always thought attaching IAM at the project level (B) grants downstream access to stuff like BigQuery, but some practice questions push D, saying the instance needs it directly. Not 100% sure-project scope seems more common though. Disagree?
B tbh, since the project owns the instance and inherits a lot of permissions by default. I always thought project-level roles covered resources in cases like this. Not 100% on it but seems logical, yeah?
Be respectful. No spam.
