Your company's support engineers occasionally need to restart Compute Engine virtual machines that are already running in several Google Cloud projects. They must be able to start and stop existing VMs, but they must not create, delete, or modify VM configurations or any other resources. Following the principle of least privilege, which type of IAM role should you assign to the support engineers in each project?
Grant the predefined role roles/compute.instanceAdmin.v1 to the engineers in each project.
Create a custom role that includes only compute.instances.start and compute.instances.stop and assign it to the engineers in each project.
Grant the primitive role Editor in each project.
Add the engineers as members of the default Compute Engine service account used by the VMs.
A predefined role such as roles/compute.instanceAdmin.v1 or the primitive Editor role would give the engineers broad permissions, including the ability to create or delete VM instances, which violates least-privilege requirements. Adding them to a service account does not grant user permissions; it allows the service account itself to act. The correct approach is to create a custom role that contains only the specific permissions the team needs-compute.instances.start and compute.instances.stop-and grant that role at the project level. Custom roles let administrators bundle a precise set of permissions when no predefined role matches the required granularity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege?
Open an interactive chat with Bash
How do custom IAM roles differ from predefined IAM roles?
Open an interactive chat with Bash
What are the permissions compute.instances.start and compute.instances.stop used for in GCP?
Open an interactive chat with Bash
What are IAM roles in Google Cloud Platform (GCP)?
Open an interactive chat with Bash
What is a custom role in GCP IAM?
Open an interactive chat with Bash
Why is the principle of least privilege important in IAM?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .