Learn the recommended steps to securely connect your Windows Compute Engine instance to Cloud SQL using the Cloud SQL Auth Proxy and the principle of least privilege.
Table of Contents
Question
You are about to deploy an application hosted on a Compute Engine instance with Windows OS and Cloud SQL. You plan to use the Cloud SQL Auth Proxy for connectivity to the Cloud SQL instance. You plan to follow Google-recommended practices and the principle of least privilege. You have already created a custom service account. What should you do next?
A. Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
B. Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the –unix-socket CLI option.
C. Grant the custom service account the roles/cloudsql.editor role.
D. Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.
Answer
B. Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the –unix-socket CLI option.
Explanation
To securely connect your Windows Compute Engine instance to Cloud SQL using the Cloud SQL Auth Proxy:
- Create a custom service account for your instance to use, following the principle of least privilege.
- Grant the custom service account the roles/cloudsql.client role. This role provides the minimum permissions needed for the auth proxy to connect to Cloud SQL. It follows the principle of least privilege better than roles like cloudsql.editor or cloudsql.viewer which grant additional unnecessary permissions.
- When starting the Cloud SQL Auth Proxy on your Windows instance, use the –unix-socket option in the start command. This tells the proxy to use a Unix socket to communicate with the Cloud SQL instance, which is more secure than opening a local port.
- Adjust your application’s database connection settings to connect to the Unix socket created by the proxy.
The other options are incorrect because they either grant excessive permissions to the service account (C and D) or use a less secure connection method by opening a local port (A).
By following these steps, you ensure your Windows Compute Engine instance connects to Cloud SQL securely through the Auth Proxy, using the minimum necessary permissions.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.