Exam Professional Cloud Database Engineer topic 1 question 64 discussion

spanner.database.select is not enough, you also need a spanner.database.read which is included in Cloud Spanner Database Reader role

Option C is correct. Here is why: spanner.admin God-tier control over everything Full CRUD & DDL for instances, databases, users, policies Manage entire Cloud Spanner environment spanner.databaseAdmin Database master control Full CRUD & DDL for databases, users, policies Create, manage, and secure databases spanner.databaseUser Power user with data rights Full CRUD & DDL for specified databases Read, write, modify data, manage database schema spanner.databaseReader Curious but hands-off observer Read-only access and query execution Analyze data without manipulation spanner.viewer Peeping Tom (metaphorically speaking) View instances, databases, and users Monitor Cloud Spanner metadata, no data access spanner.backupAdmin Backup whiz Create, view, update, delete backups Manage backups without accessing data

A is nonsense. Admin is too much, select is not enough. C is the one.

C. A new application should have its own service account. Eliminate A. The Admin role is too broad. Eliminate B. D grants an individual permission not a role. Granting permissions in IAM is done via a role. From Google’s documentation: “In IAM, permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated principals.” https://cloud.google.com/iam/docs/overview

Why not D?

Google Recommended practice is to assign roles but not permissions directly. SO, C

B: Create a new service account, and grant it the Cloud Spanner Database Admin ***** role.