CLOUD-DIGITAL-LEADER · Question #15
Your organization needs to allow a production job to have access to a BigQuery dataset. The production job is running on a Compute Engine instance that is part of an instance group. What should be inc
The correct answer is C. The Compute Engine service account. In Google Cloud IAM, workloads (like Compute Engine instances) are granted permissions through a service account, not through the instance itself, the instance group, or the owning project. The service account is the identity that represents the application running on the instanc
Question
Your organization needs to allow a production job to have access to a BigQuery dataset. The production job is running on a Compute Engine instance that is part of an instance group. What should be included in the IAM Policy on the BigQuery dataset?
Options
- AThe Compute Engine instance group
- BThe project that owns the Compute Engine instance
- CThe Compute Engine service account
- DThe Compute Engine instance
How the community answered
(60 responses)- A3% (2)
- B10% (6)
- C82% (49)
- D5% (3)
Explanation
In Google Cloud IAM, workloads (like Compute Engine instances) are granted permissions through a service account, not through the instance itself, the instance group, or the owning project. The service account is the identity that represents the application running on the instance. You grant the appropriate BigQuery role (e.g., roles/bigquery.dataViewer) to that service account on the BigQuery dataset. Instance groups are not valid IAM principals, individual instances are not identities in IAM, and granting access to the entire project would be overly permissive.
Topics
Community Discussion
No community discussion yet for this question.