GCP Professional Cloud Architect Practice Question
Treasure Maps Inc. operates 20 Google Cloud projects in a single organization. Roughly 50 data scientists rotate among these projects every quarter and must always have the BigQuery Data Viewer role wherever they are currently assigned. The IAM team wants to
avoid updating dozens of individual role bindings each time people move,
inherit team membership from an existing Azure AD security group named ds-team, and
add several internal CI/CD service accounts so they receive the same access.
Which identity construct should receive the BigQuery Data Viewer role on each project to satisfy all requirements with the least operational effort?
A custom IAM role assigned separately to every project and bound to principals as needed
A Google Group that is synchronized with the Azure AD ds-team group, with the CI/CD service accounts added as additional members
Individual external identities for each data scientist via Workforce Identity Federation, each granted the BigQuery Data Viewer role directly
Each data scientist's personal Google Account, granted the BigQuery Data Viewer role directly in every project
Granting the role to a Google Group synchronized from Azure AD meets every requirement:
A Google Group can be automatically kept in sync with an external IdP group (for example, via Cloud Identity's Group Sync with Azure AD), so adding or removing users in Azure AD transparently changes their Google Cloud access without manual IAM updates.
IAM permissions granted to the Google Group are inherited by all current members; when data scientists rotate, administrators simply adjust the IdP group membership.
Google Groups can contain both human Google Accounts and service accounts, so the required CI/CD service accounts can be added as members and inherit the same BigQuery Data Viewer role.
The other options fail to meet one or more constraints:
Individually mapping each user with Workforce Identity Federation and granting roles separately would require continuous per-user IAM updates and cannot include Google-hosted service accounts.
Granting the role directly to every developer's Google Account still causes high operational overhead when membership changes and excludes service accounts.
Creating a custom role and assigning it to each project does not solve the membership-management problem; administrators would still need to add or remove principals one by one. Therefore, a synchronized Google Group is the most efficient and scalable solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Google Cloud Identity Sync with Azure AD?
Open an interactive chat with Bash
How do Google Groups support both human and service accounts?
Open an interactive chat with Bash
What is Workforce Identity Federation in Google Cloud?
Open an interactive chat with Bash
What is Cloud Identity's Group Sync?
Open an interactive chat with Bash
How do Google Groups work with IAM roles?
Open an interactive chat with Bash
What is Workforce Identity Federation in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .