A GCP project hosts several Cloud Storage buckets that store artifacts produced by multiple CI/CD pipelines. You must let a temporary intern upload new build artifacts to any bucket in the project. The intern must not be able to list, read, or delete existing objects, nor change bucket configuration or other project resources. Following the principle of least privilege and using a single IAM assignment, which role and scope should you grant?
Grant the Editor role (roles/editor) on the project.
Grant the Storage Admin role (roles/storage.admin) on each bucket.
Grant the Storage Object Viewer role (roles/storage.objectViewer) on the project.
Grant the Storage Object Creator role (roles/storage.objectCreator) on the project.
Grant the Storage Object Creator predefined role (roles/storage.objectCreator) at the project level. This role includes only the storage.objects.create permission, which allows a principal to upload (and therefore potentially overwrite) objects in any bucket within the project. It does not include permissions to list, read, or delete existing objects, nor does it allow changing bucket metadata. Assigning it at the project level gives the intern upload rights across all buckets while avoiding broader permissions. Editor and Storage Admin are overly permissive, and Storage Object Viewer is read-only and cannot upload.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in cloud IAM?
Open an interactive chat with Bash
What permissions does the Storage Object Creator role provide?
Open an interactive chat with Bash
Why is assigning roles at the project level better than at the bucket level in this case?
Open an interactive chat with Bash
What are IAM roles in GCP?
Open an interactive chat with Bash
Can you explain the principle of least privilege?
Open an interactive chat with Bash
What permissions does the Storage Object Creator role include?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .