PROFESSIONAL-CLOUD-DEVELOPER · Question #327
You are about to deploy an application hosted on a Compute Engine instance with Windows OS and Cloud SQL. You plan to use the Cloud SQL Auth Proxy for connectivity to the Cloud SQL instance. You plan
The correct answer is B. Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy. The Cloud SQL Auth Proxy requires only the ability to establish connections to a Cloud SQL instance - it does not need to read or write data. The predefined role roles/cloudsql.client grants exactly the cloudsql.instances.connect permission needed and nothing more, making it the
Question
You are about to deploy an application hosted on a Compute Engine instance with Windows OS and Cloud SQL. You plan to use the Cloud SQL Auth Proxy for connectivity to the Cloud SQL instance. You plan to follow Google-recommended practices and the principle of least privilege. You have already created a custom service account. What should you do next?
Options
- ACreate and assign a custom role with the cloudsql.instances.connect permission to the custom
- BGrant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy
- CGrant the custom service account the roles/cloudsql.editor role.
- DGrant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth
How the community answered
(46 responses)- A4% (2)
- B72% (33)
- C7% (3)
- D17% (8)
Explanation
The Cloud SQL Auth Proxy requires only the ability to establish connections to a Cloud SQL instance - it does not need to read or write data. The predefined role roles/cloudsql.client grants exactly the cloudsql.instances.connect permission needed and nothing more, making it the least-privilege predefined role for this purpose. Option A (custom role with cloudsql.instances.connect) would technically work but creating a custom role for a permission already covered by a predefined role adds unnecessary complexity - Google recommends using predefined roles first. Option C (roles/cloudsql.editor) grants data modification rights - excessive. Option D (roles/cloudsql.viewer) does not include connect permissions, so the proxy would fail.
Topics
Community Discussion
No community discussion yet for this question.