GCP Professional Cloud Security Engineer Practice Question

Your company has deployed an internal administration portal on a group of Compute Engine instances behind an external HTTP(S) load balancer. Identity-Aware Proxy (IAP) has been enabled on the load balancer's backend service.

A group named [email protected] already has the following project-level IAM roles:

Compute Viewer (roles/compute.viewer)
Logging Viewer (roles/logging.viewer)

When members of the group browse to the portal, the IAP sign-in page appears, but after authentication they receive an HTTP 403 message saying they do not have access.

You must grant the minimum additional permission so that the group can reach the portal through IAP without allowing them to modify IAP or other resources.

Which IAM role should you assign to [email protected]?

IAP-Secured Web App User (roles/iap.httpsResourceAccessor)
IAP-Secured Tunnel User (roles/iap.tunnelResourceAccessor)
Project Editor (roles/editor)
IAP Admin (roles/iap.admin)

Report Issue

Answer Description

Users need the predefined role IAP-Secured Web App User (roles/iap.httpsResourceAccessor) to establish a session through Identity-Aware Proxy and reach HTTPS resources protected by IAP. This role grants only the iap.webServiceVersions.access and related read-only permissions required for access; it does not allow enabling, disabling, or configuring IAP, nor does it provide broad project-wide privileges. The existing Compute Viewer and Logging Viewer roles supply visibility into resources and logs but grant no IAP access. IAP-Secured Tunnel User applies only to TCP forwarding tunnels, Project Editor violates least-privilege by giving write access to most services, and IAP Admin allows configuration changes to IAP itself. Therefore, assigning roles/iap.httpsResourceAccessor is the correct least-privilege solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.