A contractor must upload new log files to Cloud Storage bucket "gs://media-raw" and verify the upload by listing the object names. The contractor must not delete, overwrite, or read the contents of existing objects and should have no permissions on any other project resources. What is the LEAST-privilege way to meet this requirement?
Grant the contractor the legacy Bucket Writer IAM-compatible role on bucket gs://media-raw.
Grant the contractor the Storage Object Creator role (roles/storage.objectCreator) on bucket gs://media-raw.
Grant the contractor the Storage Object Admin role (roles/storage.objectAdmin) on bucket gs://media-raw.
Grant the contractor the Storage Object Creator role (roles/storage.objectCreator) at the project level.
Granting the contractor the Storage Object Creator role at the bucket level allows them to create objects in that specific bucket only. They can list the names of objects they upload but cannot delete or overwrite objects they do not own, nor can they read the contents of existing objects. Assigning the role at the project level would give access to every bucket in the project, which violates the principle of least privilege. The Storage Object Admin role would allow full control (including delete and overwrite) on the bucket, and the legacy Bucket Writer IAM-compatible role is broader than necessary because it implicitly permits deletions. Therefore, bucket-level roles/storage.objectCreator is the most restrictive role that still satisfies the requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What capabilities does the Storage Object Creator role provide?
Open an interactive chat with Bash
Why is assigning roles at the bucket level better than at the project level?
Open an interactive chat with Bash
What does the Storage Object Creator role (roles/storage.objectCreator) allow?
Open an interactive chat with Bash
What is the principle of least privilege and why is it important in IAM roles?
Open an interactive chat with Bash
Why is assigning roles at the bucket level instead of the project level recommended in this scenario?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .