You built an application on Google Cloud that uses Cloud Spanner.
Your support team needs to monitor the environment but should not have access to table data.
You need a streamlined solution to grant the correct permissions to your support team, and you want to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer is A. Add the support team group to the roles/monitoring.viewer role.
Google Cloud offers various roles to grant users or groups permissions to specific resources. The roles are designed based on the principle of least privilege, which means granting only the necessary permissions required to complete a task. In this scenario, the support team needs to monitor the environment but should not have access to table data, so we need to assign the appropriate role.
Option A, adding the support team group to the roles/monitoring.viewer role, is the recommended solution for this scenario. This role grants read-only access to the environment's monitoring data, such as metrics, logs, and alerts. It does not provide access to the table data, which meets the requirement of the scenario. This role is included in the Cloud IAM Monitoring Viewer role, which provides access to all monitoring data across Google Cloud. Assigning the more specific roles is recommended instead of the more general roles because it provides more granular control over the user's access to the resources.
Option B, adding the support team group to the roles/spanner.databaseUser role, is not the recommended solution because this role grants read and write access to the Cloud Spanner instance. It includes access to table data, which is not required for the scenario.
Option C, adding the support team group to the roles/spanner.databaseReader role, is not the recommended solution because this role provides read-only access to the Cloud Spanner instance. It includes access to table data, which is not required for the scenario.
Option D, adding the support team group to the roles/stackdriver.accounts.viewer role, is not the recommended solution because this role provides read-only access to the Stackdriver account. It does not provide access to the Cloud Spanner instance, which is required for the scenario.
In summary, to grant the support team the correct permissions to monitor the environment without access to table data, we should add the support team group to the roles/monitoring.viewer role.