Your security team has prohibited granting the storage.objects.getIamPolicy permission in the payroll project. A group of analysts must be able to upload new objects and delete outdated objects in a sensitive Cloud Storage bucket, but they must not view or change IAM policies. The available predefined Storage roles all include the forbidden permission. How should you grant the required access while respecting the security constraint?
Use object ACLs to give the analysts OWNER access on all objects in the bucket while leaving IAM unchanged.
Create an organization- or project-level custom IAM role that includes only storage.objects.create and storage.objects.delete, then grant that role on the bucket to the analysts' Google Group.
Grant the analysts the predefined Storage Object Admin role on the bucket and add an IAM deny policy for storage.objects.getIamPolicy.
Enable Uniform bucket-level access and grant the analysts the Storage Admin role on the bucket so they inherit all necessary permissions automatically.
Predefined roles such as Storage Object Admin or Storage Admin bundle all storage.objects.* permissions, which include storage.objects.getIamPolicy-violating the security team's restriction. A custom role lets you pick only the necessary permissions (for example, storage.objects.create and storage.objects.delete) and omit the disallowed storage.objects.getIamPolicy. You can then bind that custom role to the analysts' group at the bucket level. Combining IAM conditions with broader roles would still include the prohibited permission, and using ACLs or Uniform bucket-level access does not remove permissions embedded in the predefined roles. Therefore, defining and assigning a custom IAM role is the correct and least-privilege solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a custom IAM role in Google Cloud?
Open an interactive chat with Bash
How does the storage.objects.getIamPolicy permission work?
Open an interactive chat with Bash
What is Uniform bucket-level access in Cloud Storage?
Open an interactive chat with Bash
What is a custom IAM role?
Open an interactive chat with Bash
What is the difference between an IAM condition and a custom IAM role?
Open an interactive chat with Bash
How does enabling Uniform bucket-level access impact permissions?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .