IAM conditions use request.time.getHour() (note singular 'Hour') for hour-based access control. Option C correctly restricts access from 9:00 to 16:59 UTC daily. Option C only applies to one specific day. Option C ends before 5 PM. Option C uses invalid timestamp format (missing date).
The ip_cidr_range() function checks if request.ip is within the specified CIDR block. Option B uses the correct syntax request.ip in ip_cidr_range('192.168.1.0/24'). Option B incorrectly compares to a CIDR string. Option B uses unsupported startsWith(). Option B treats CIDR as array element.
resource.project == 'project-123' (or more precisely resource.name.startsWith('projects/project-123/')) restricts to the project. request.time.getDayOfWeek() returns 1=Monday to 7=Sunday. Option A uses the standard >=1 <=5 for weekdays (Mon-Fri). Options B and D are logically equivalent. Option A only allows Tue-Thu.
Use request.auth.token_email to access the authenticated principal's email. endsWith() checks the domain suffix. Option D is correct. Option D uses invalid property request.auth.email. Option D checks exact match to domain only. Option D uses unsupported contains().
request.time < timestamp('2024-12-31T23:59:59Z') && request.auth.token_email.endsWith('@partner.com')What will happen if a user with email user@partner.com tries to access the bucket on 2025-01-01T00:00:00Z?
The condition uses logical AND (&&): both time < 2024-12-31...Z AND email ends with @partner.com must be true. On 2025-01-01, the time condition fails, denying access regardless of email match.