Week 6: Diagnostic Questions
You need to configure access to Cloud Spanner from the GKE cluster that is supporting Cymbal Superstore’s ecommerce microservices application. You want to specify an account type to set the proper permissions. What should you do?
- Assign permissions to a Google account referenced by the application
- Assign permissions through a Google Workspace account referenced by the application
- Assign permissions through service account referenced by the application
- Assign permissions through a Cloud Identity account referenced by the application
You are trying to assign roles to the dev and prod projects of Cymbal Superstore’s e-commerce app but are receiving an error when you try to run set-iam policy. The projects are organized into an ecommerce folder in the Cymbal Superstore organizational hierarchy. You want to follow best practices for the permissions you need while respecting the practice of least privilege. What should you do?
- Ask your administrator for resourcemanager.projects.setIamPolicy roles for each project
- Ask your administrator for the roles/resourcemanager.folderIamAdmin for the ecommerce folder
- Ask your administrator for the roles/resourcemanager.organizationAdmin for Cymbal Superstore
- Ask your administrator for the roles/iam.securityAdmin role in IAM.
You have a custom role implemented for administration of the dev/test environment for Cymbal Superstore’s transportation management application. You are developing a pilot to use Cloud Run instead of Cloud Functions. You want to ensure your administrators have the correct access to the new resources. What should you do?
- Make the change to the custom role locally and run an update on the custom role
- Delete the custom role and recreate a new custom role with required permissions
- Copy the existing role, add the new permissions to the copy, and delete the old role
- Create a new role with needed permissions and migrate users to it.
Which of the scenarios below is an example of a situation where you should use a service account?
- To directly access user data
- For development environments
- For interactive analysis
- For individual GKE pods
Cymbal Superstore is implementing a mobile app for end users to track deliveries that are en route to them. The app needs to access data about truck location from Pub/Sub using Google recommended practices. What kind of credentials should you use?
- API key
- OAuth 2.0 client
- Environment provided service account
- Service account key
Which Cloud Audit log is disabled by default with a few exceptions?
- Admin Activity audit logs
- Data Access audit logs
- System Event audit logs
- Policy Denied audit logs
Outline where Cloud Audit logs can be accessed: in the logging tab of the operations interface
You are configuring audit logging for Cloud Storage. You want to know when objects are added to a bucket. Which type of audit log entry should you monitor?
- Admin Activity log entries
- ADMIN_READ log entries
- DATA_READ log entries
- DATA_WRITE log entries
Week 6: Knowedge Check
What kind of account is meant for machine-to-machine communication in Google Cloud?
- User account
- Google Workspace account
- Service account
- Cloud Identity account
You are authenticating an application to service APIs. Both resources are internal to the Google Cloud environment. What type of credentials should you use?
- User account credentials
- Locally stored keys
- API keys
- Temporary credentials