GCP Associate Cloud Engineer Practice Question

Your team created a user-managed service account named [email protected]. The account must read objects from every Cloud Storage bucket in project log-proj. You want to grant the predefined Storage Object Viewer role to the service account at the project level without modifying any other existing IAM bindings. Which gcloud command accomplishes this goal?

gcloud projects set-iam-policy log-proj policy.yaml (with the new binding added manually to the file)
gcloud storage buckets add-iam-policy-binding gs://log-proj --member=serviceAccount:[email protected] --role=roles/storage.objectViewer
gcloud projects add-iam-policy-binding log-proj --member=serviceAccount:[email protected] --role=roles/storage.objectViewer
gcloud iam service-accounts add-iam-policy-binding [email protected] --member=project:log-proj --role=roles/storage.objectViewer

Report Issue

Answer Description

To grant a role to a principal for an entire project and keep all other bindings unchanged, you use gcloud projects add-iam-policy-binding. The command appends the new binding to the current project-level IAM policy instead of replacing it. Supplying the service account as the member and roles/storage.objectViewer as the role satisfies the requirement that the account can read objects across all buckets in the project.

Using gcloud iam service-accounts add-iam-policy-binding would attach a role on the service-account resource, not give that service account access to project resources. Setting the policy with gcloud projects set-iam-policy could work, but it risks overwriting the policy if you do not first merge existing bindings. Adding a binding on an individual bucket would not cover every bucket in the project.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.