You manage an App Engine Service that aggregates and visualizes data from BigQuery.
The application is deployed with the default App Engine Service account.
The data that needs to be visualized resides in a different project managed by another team.
You do not have access to this project, but you want your application to be able to read data from the BigQuery dataset.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The Owner, Editor, and Viewer primitive roles include the BigQuery Admin (roles/bigquery.dataOwner), BigQuery Data Editor (roles/bigquery.dataEditor), and BigQuery Data Viewer (roles/bigquery.dataViewer) roles, respectively.
This means the Owner, Editor, and Viewer primitive roles have BigQuery access as defined for the respective BigQuery roles.
https://cloud.google.com/bigquery/docs/access-controlThe situation presented in the question is that you manage an App Engine Service that needs to access data from a BigQuery dataset residing in a different project managed by another team, which you do not have access to.
To allow your application to read data from the BigQuery dataset, you need to grant the appropriate permissions to the App Engine Service account.
Option A suggests asking the other team to grant the default App Engine Service account the role of BigQuery Job User. The BigQuery Job User role allows the user to run jobs (such as queries) on datasets, but does not provide access to read data from the datasets. Therefore, this option is not the correct solution for the problem.
Option B suggests asking the other team to grant the default App Engine Service account the role of BigQuery Data Viewer. The BigQuery Data Viewer role grants read access to datasets and tables but does not allow running jobs or modifying data. This role would allow your App Engine Service to read the data from the BigQuery dataset in the other project, so this option is the correct solution to the problem presented in the question.
Option C suggests ensuring that the default App Engine Service account has the role of BigQuery Data Viewer in your own project's Cloud IAM. However, this option does not grant access to the BigQuery dataset in the other project, so it is not the correct solution to the problem presented in the question.
Option D suggests granting a newly created service account from the other team the role of BigQuery Job User in your project. However, this option would require the other team to create a new service account, and it also does not grant read access to the BigQuery dataset in the other project, so it is not the correct solution to the problem presented in the question.
Therefore, the correct answer is option B: ask the other team to grant your default App Engine Service account the role of BigQuery Data Viewer. This would allow your application to read data from the BigQuery dataset in the other project.