GCP Professional Cloud Security Engineer Practice Question

In your organization, the CI/CD platform runs in the devops project by using the service account [email protected]. The pipeline must upload build artifacts to the Cloud Storage bucket gs://release-artifacts that resides in the prod project. The security team requires that the service account be able to add new objects to the bucket but must not be allowed to list, view, overwrite, or delete existing objects. All permissions must be granted as narrowly scoped as possible on the bucket itself. Which single IAM role assignment best meets the requirement?

Assign roles/storage.admin to [email protected] on the prod project.
Assign roles/storage.objectAdmin to [email protected] on the release-artifacts bucket.
Assign roles/storage.legacyBucketWriter to [email protected] on the prod project.
Assign roles/storage.objectCreator to [email protected] on the release-artifacts bucket.

Report Issue

Answer Description

Granting the predefined role roles/storage.objectCreator on the gs://release-artifacts bucket lets the service account write (upload) objects without granting the permissions to list bucket contents, read objects, overwrite existing ones, or delete them. Assigning the role at the bucket level confines the permission to just that resource, satisfying the least-privilege mandate.

The Storage Object Admin and Storage Admin roles both include powerful permissions such as object delete, update, and full bucket administration, which violate the requirement to prevent viewing, overwriting, or deleting existing objects and would grant privileges far beyond a single bucket. The legacyBucketWriter role also includes object delete permissions and is scoped for legacy ACLs at the project level, so it is overly permissive and applies more broadly than necessary.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.