Your organization has several GCP projects that host internal tools. Interns need read-only access to Cloud Storage objects and Cloud Logging logs across all projects, but they must not receive any additional permissions. What is the most maintainable way to meet this requirement while following the principle of least privilege?
Assign the interns both the Storage Object Viewer and Logging Viewer predefined roles in every project.
Create a custom role at the organization level with only the required storage and logging permissions, then grant that role to the interns' Google Group on each project.
Add the interns' Google Group as Viewers at the organization level so they can inherit read-only access to all resources.
Create a custom role in one project, grant it to the interns' Google Group there, and rely on Cloud IAM to automatically expose the role to the other projects.
A custom role defined at the organization level can include exactly the permissions interns need-such as storage.objects.get, storage.objects.list, logging.logEntries.list, and logging.logs.list. Because organization-level custom roles are visible to every project in the organization, you only have to create the role once. You then grant that role to the interns' Google Group on each project (or at a higher level, if appropriate). A project-level custom role would have to be duplicated in every project, and combining multiple predefined roles would either miss required permissions or introduce unnecessary ones. Basic roles are far too permissive.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in GCP IAM?
Open an interactive chat with Bash
How does creating an organization-level custom role in GCP work?
Open an interactive chat with Bash
What are predefined roles in GCP IAM, and why might they not always fit the least privilege principle?
Open an interactive chat with Bash
What is a custom role in GCP IAM?
Open an interactive chat with Bash
How does principle of least privilege apply in this context?
Open an interactive chat with Bash
What is the difference between organization-level and project-level roles in GCP?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .