Exam Professional Data Engineer topic 1 question 52 discussion

A is wrong, if only I can see the bucket no automation is possible, besides, also needs launch the dataproc job B is too much, does not follow the security best practices C has one point missing…you need to submit dataproc jobs. In D viewer role will not be able to submit dataproc jobs, the rest is ok Thus….the only one that would work is B! BUT this service account has too many permissions. Should have dataproc editor, write big query and read from bucket

Should be C

We need permissions for submitting dataproc jobs and writing to BigQuery. Project Owner will fix all of that even though it's not a good solution. The rest won't work at all.

C Project Owner is too much, violates the principle of least privilege

C. Use a service account with the ability to read the batch files and to write to BigQuery It is best practice to use service accounts with the least privilege necessary to perform a specific task when automating jobs. In this case, the job needs to read the batch files from Cloud Storage and write the results to BigQuery. Therefore, you should create a service account with the ability to read from the Cloud Storage bucket and write to BigQuery, and use that service account to run the job.

B works for the given requirement

Least privilege principle. Option C. job can be submitted or triggered using a Cron or a composer which uses another SA with different set of privileges

B because we need to run job .. option C mentioned permission about read and write nothing mention to run the job . In case project owner to service account it’s similar just running job and doing rest of tasks read and writing as well.

The answer is C because Service Account is the best way to access the BigQuery API if your application can run jobs associated with service credentials rather than an end-user's credentials, such as a batch processing pipeline. https://cloud.google.com/bigquery/docs/authentication

Data owners cant create jobs or queries. -> B out We need service Account -> D out Access only granting me does not solve the problem -> A out The answer is C. ( Minimum rights to perform the job)

"taking nightly batch files containing non-public information from Google Cloud Storage, processing them with a Spark Scala job on a Google Cloud Dataproc cluster, and depositing the results into Google BigQuery"

C should be okay,since he is already a project owner, I guess compute service account created will have access to run the jobs

C, Project Owner role to a service account - is too much

Why there are so many wrong answers? Examtopics.com are you enjoying paid subscription by giving random answers from people? Ans: C

Ans: C See this: https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/service-accounts#dataproc_service_accounts_2

C as service account invoked to read the data into GCS and write to BQ once transformed via Data Proc. Assumes DataProc can inherit SA authorisation to perform transform and propagate. B seems to violate key IAM principle enforcing least privilege; https://cloud.google.com/iam/docs/recommender-overview

Vote for 'C"