ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 5.2: Managing service accountsIAMService AccountsCross-ProjectSecurity

GCP ACE · Question 47 · Domain 5.2: Managing service accounts

You have two projects: 'Project A' (where your Compute Engine VMs run) and 'Project B' (where your BigQuery datasets reside). The VMs in Project A need to run queries against the datasets in Project B.

Which TWO steps are required to configure this cross-project access securely? (Select TWO)

Answer options:

A.

Identify the Service Account attached to the VMs in Project A.

B.

Download the JSON key for the Service Account in Project B and upload it to the VMs in Project A.

C.

In Project B's IAM settings, grant the Project A Service Account the required BigQuery roles.

D.

Set up VPC Network Peering between Project A and Project B.

E.

Move the BigQuery datasets from Project B into Project A.

How to approach this question

Understand that Service Accounts are just email addresses. You can take a Service Account from Project A and add it to the IAM policy of Project B.

Full Answer

Identify the Service Account attached to the VMs in Project A, and grant that Service Account the 'BigQuery Data Viewer' and 'BigQuery Job User' roles in Project B.
Google Cloud IAM supports cross-project access natively. A Service Account created in one project can be granted permissions in another project. To allow VMs in Project A to access BigQuery in Project B, you first identify the Service Account attached to the VMs in Project A. Then, you go to the IAM console in Project B, click 'Add', enter the email address of the Project A Service Account, and assign it the necessary BigQuery roles (e.g., BigQuery Data Viewer, BigQuery Job User). No keys need to be downloaded, and no network peering is required.

Common mistakes

Thinking you need to download JSON keys to cross project boundaries, or thinking VPC peering is required for API access.
46All questions48

Practice the full GCP Associate Cloud Engineer Practice Exam 6

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01What is the primary purpose of a Google Cloud project?EasyQ02Your development team needs to manage Compute Engine instances in a specific project. They need t...MediumQ03You are automating the setup of a new Google Cloud project using a bash script. You need to enabl...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...MediumQ05Your finance team wants to perform granular analysis of your Google Cloud spending using SQL. The...Hard
View all 50 questions →