nerdexam
Google

CLOUD-DIGITAL-LEADER · Question #15

Your organization needs to allow a production job to have access to a BigQuery dataset. The production job is running on a Compute Engine instance that is part of an instance group. What should be inc

The correct answer is C. The Compute Engine service account. In Google Cloud IAM, workloads (like Compute Engine instances) are granted permissions through a service account, not through the instance itself, the instance group, or the owning project. The service account is the identity that represents the application running on the instanc

Securing and Operating Google Cloud

Question

Your organization needs to allow a production job to have access to a BigQuery dataset. The production job is running on a Compute Engine instance that is part of an instance group. What should be included in the IAM Policy on the BigQuery dataset?

Options

  • AThe Compute Engine instance group
  • BThe project that owns the Compute Engine instance
  • CThe Compute Engine service account
  • DThe Compute Engine instance

How the community answered

(60 responses)
  • A
    3% (2)
  • B
    10% (6)
  • C
    82% (49)
  • D
    5% (3)

Explanation

In Google Cloud IAM, workloads (like Compute Engine instances) are granted permissions through a service account, not through the instance itself, the instance group, or the owning project. The service account is the identity that represents the application running on the instance. You grant the appropriate BigQuery role (e.g., roles/bigquery.dataViewer) to that service account on the BigQuery dataset. Instance groups are not valid IAM principals, individual instances are not identities in IAM, and granting access to the entire project would be overly permissive.

Topics

#IAM#Service Accounts#Compute Engine#BigQuery

Community Discussion

No community discussion yet for this question.

Full CLOUD-DIGITAL-LEADER Practice