Your team runs a Compute Engine VM that processes orders. The VM's user-managed service account must 1) pull messages from the orders-sub Pub/Sub subscription and 2) upload the resulting PDF receipt files only to the gs://processed-orders bucket. Which IAM configuration best follows the principle of least privilege?
Grant the predefined Editor role on the project to the service account.
Grant roles/pubsub.admin and roles/storage.admin on the project to the service account.
Create a custom role with only the required Pub/Sub and Cloud Storage permissions and grant it to the service account at the organization level.
Grant roles/pubsub.subscriber on the orders-sub subscription and roles/storage.objectCreator on the gs://processed-orders bucket to the service account.
Granting roles/pubsub.subscriber on the specific subscription lets the VM consume messages without broader Pub/Sub administration rights. Granting roles/storage.objectCreator on the target bucket allows it to write new objects but not read, delete, or list existing ones. Both bindings are scoped to the exact resources needed and avoid project-wide basic or admin roles. The Editor role and the Pub/Sub and Storage admin roles provide far more permissions than required. A custom role with minimal permissions granted at the organization level would still violate least privilege because of its unnecessarily wide scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the principle of least privilege mean?
Open an interactive chat with Bash
What is IAM and how does it work in GCP?
Open an interactive chat with Bash
What is the difference between predefined roles and custom roles in GCP IAM?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What does roles/pubsub.subscriber allow a service account to do?
Open an interactive chat with Bash
What is roles/storage.objectCreator used for?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .