Your startup runs a batch job on a Compute Engine VM whose attached service account is [email protected]. The job must read (but not write) objects from a single Cloud Storage bucket named audit-logs that lives in the same project. To follow the principle of least privilege and avoid granting broader access, which IAM assignment should you create?
Grant the Viewer basic role to the service account at the organization level.
Grant the Storage Object Viewer role to the service account on the project.
Grant the Storage Object Viewer role to [email protected] on the audit-logs bucket.
Grant the Storage Admin role to the service account on the audit-logs bucket.
The Storage Object Viewer role (roles/storage.objectViewer) grants permissions to list and read objects in Cloud Storage without allowing writes or administrative actions. Granting this role to the service account at the bucket level confines access strictly to the audit-logs bucket, satisfying the least-privilege requirement. Granting it at the project level would allow reading every bucket in the project, Storage Admin is overly permissive, and granting the Viewer role at the organization level provides far broader access than necessary.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the 'principle of least privilege' mean in IAM?
Open an interactive chat with Bash
Why is the Storage Object Viewer role better than Storage Admin in this scenario?
Open an interactive chat with Bash
What is a service account in GCP and how does it work?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What does the Storage Object Viewer role allow?
Open an interactive chat with Bash
Why is granting IAM access at the bucket level better than the project level?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .