A Compute Engine VM uses the user-managed service account "app-logger-sa" to push log files into the bucket gs://audit-logs. The account currently has the Storage Admin (roles/storage.admin) role on the entire project. Security wants the configuration changed to follow the principle of least privilege while still allowing the logging agent to function. What should you do?
Keep Storage Admin but add an IAM condition to limit actions to the gs://audit-logs bucket.
Remove the project-level role and grant Storage Object Viewer on the gs://audit-logs bucket.
Replace the project-level role with Storage Admin on the gs://audit-logs bucket.
Remove the project-level Storage Admin role and grant the service account the Storage Object Creator role only on the gs://audit-logs bucket.
The logging agent only needs to create objects in one bucket. Granting Storage Object Creator (roles/storage.objectCreator) on that specific bucket supplies the single permission required-storage.objects.create-and nothing more. After adding this bucket-level binding, you should remove the overly broad project-level Storage Admin role.
Giving Storage Admin at any level far exceeds what is needed, as it allows listing, reading, deleting, and setting IAM on every bucket. Storage Object Viewer would not work because it cannot write objects. Leaving the existing role and adding conditions still keeps thousands of unnecessary permissions and is harder to audit.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What does the Storage Object Creator role allow?
Open an interactive chat with Bash
Why is project-level Storage Admin considered overly broad?
Open an interactive chat with Bash
What is the principle of least privilege in GCP IAM?
Open an interactive chat with Bash
What does the Storage Object Creator role do?
Open an interactive chat with Bash
Why is the Storage Admin role inappropriate in this scenario?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .