Your company's operations group ([email protected]) must be able to start and stop existing Compute Engine virtual machines in a single project during scheduled maintenance. They must not create, delete, or reconfigure instances, and they should have no additional permissions on other Google Cloud resources. Following the principle of least privilege, how should you grant this access?
Grant the predefined role Compute Instance Admin (roles/compute.instanceAdmin.v1) to the group at the project level.
Grant the predefined role Compute Viewer (roles/compute.viewer) to the group at the project level.
Create a custom role that includes only compute.instances.start and compute.instances.stop permissions, then bind that role to the group at the project level.
Grant the primitive Editor role to the group at the project level.
The operations group only needs the ability to invoke the start and stop actions on existing VM instances. Neither the primitive Editor role nor the predefined Compute Instance Admin role is appropriate, because both include broad permissions such as creating, deleting, or modifying instances and other resources. The Compute Viewer role is read-only and cannot change instance power state. The correct approach is to create a custom IAM role that contains just the required permissions-compute.instances.start and compute.instances.stop (and any related list or get permissions)-and bind that custom role to the group at the project level. This grants exactly the needed capabilities without over-privileging the users.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM in Google Cloud?
Open an interactive chat with Bash
How do custom roles differ from predefined roles in IAM?
Open an interactive chat with Bash
Why is the principle of least privilege important in cloud environments?
Open an interactive chat with Bash
Why is a custom IAM role preferred in this case?
Open an interactive chat with Bash
What related permissions might be needed for `compute.instances.start` and `compute.instances.stop`?
Open an interactive chat with Bash
How is a custom IAM role created in Google Cloud Platform?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .