Validate Data in BigQuery Using App Engine Default Service Account
Question
Last week, a company deployed a new App Engine application that writes logs to BigQuery.
No other workloads are running in the project.
You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The task is to validate that all data written to BigQuery was done using the App Engine Default Service Account. To achieve this, we can follow the below steps:
Option A and B both involve using StackDriver Logging to filter on BigQuery Insert Jobs. This means we can filter logs generated by BigQuery insert jobs and use the authentication field to identify the service account used to perform the insert. However, there is a difference between the two options in step 3.
Option A suggests that we click on the email address in line with the App Engine Default Service Account in the authentication field and then click Hide Matching Entries. This means we are filtering out entries where the service account used to perform the insert is the App Engine Default Service Account. We then need to verify that the resulting list is empty. This approach confirms that only the App Engine Default Service Account was used to write data to BigQuery.
Option B suggests that we click on the email address in line with the App Engine Default Service Account in the authentication field and then click Show Matching Entries. This means we are displaying only the entries where the service account used to perform the insert is the App Engine Default Service Account. We then need to verify that the resulting list is empty. This approach confirms that there were no entries where the App Engine Default Service Account was not used to write data to BigQuery.
Therefore, between options A and B, option A is the correct answer because we want to make sure that only the App Engine Default Service Account was used to write data to BigQuery.
Option C suggests that we select the related dataset in BigQuery and make sure the App Engine Default Service Account is the only account that can write to the dataset. This is a valid approach to ensure that only the App Engine Default Service Account has access to write data to the dataset, but it does not validate that only the App Engine Default Service Account was used to write data to BigQuery.
Option D suggests that we go to the IAM section on the project and validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery. This is a valid approach to ensure that only the App Engine Default Service Account has the appropriate IAM role to write data to BigQuery, but it does not validate that only the App Engine Default Service Account was used to write data to BigQuery.
In summary, the correct answer is A. We should use StackDriver Logging to filter on BigQuery Insert Jobs and click on the email address in line with the App Engine Default Service Account in the authentication field. We should then click Hide Matching Entries and verify that the resulting list is empty.
