Bird
Raised Fist0
GCPcloud~5 mins

IAM policy binding in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is an IAM policy binding in Google Cloud?
An IAM policy binding connects a role to one or more members, defining who has what permissions on a resource.
Click to reveal answer
beginner
What are the main components of an IAM policy binding?
The main components are:
1. Role - a set of permissions.
2. Members - users, groups, or service accounts.
3. Condition (optional) - a rule to limit when the binding applies.
Click to reveal answer
beginner
How do you specify a member in an IAM policy binding?
Members are specified by their type and identity, for example:
- user:email@example.com
- serviceAccount:my-sa@project.iam.gserviceaccount.com
- group:group@example.com
Click to reveal answer
intermediate
What is the purpose of a condition in an IAM policy binding?
A condition limits when the binding applies, based on attributes like request time or resource properties, adding extra security control.
Click to reveal answer
beginner
Why should you follow the principle of least privilege when creating IAM policy bindings?
To give only the minimum permissions needed, reducing the risk of accidental or malicious actions on your cloud resources.
Click to reveal answer
What does an IAM policy binding connect in Google Cloud?
AA VM to a network
BA role to members
CA project to a billing account
DA storage bucket to a folder
Which of the following is NOT a valid member type in an IAM policy binding?
Auser:email@example.com
BserviceAccount:my-sa@project.iam.gserviceaccount.com
Cdevice:device123
Dgroup:group@example.com
What is the role of a condition in an IAM policy binding?
ATo limit when the binding applies
BTo assign a role permanently
CTo list all members
DTo delete the binding
Which principle helps reduce risk when assigning IAM roles?
APrinciple of least privilege
BPrinciple of maximum access
CPrinciple of open sharing
DPrinciple of unlimited roles
In an IAM policy binding, what does the 'role' represent?
AA billing account
BA user account
CA network location
DA set of permissions
Explain what an IAM policy binding is and its main components.
Think about who gets what permissions and under what conditions.
You got /4 concepts.
    Describe why using conditions in IAM policy bindings can improve security.
    Consider how rules can restrict access based on time or resource attributes.
    You got /4 concepts.

      Practice

      (1/5)
      1. What does an IAM policy binding do in Google Cloud?
      easy
      A. It connects a role to one or more members to grant permissions.
      B. It creates a new Google Cloud project.
      C. It deletes user accounts from the organization.
      D. It monitors network traffic between services.

      Solution

      1. Step 1: Understand IAM policy binding purpose

        An IAM policy binding links a role, which defines permissions, to members like users or service accounts.

      2. Step 2: Identify correct function

        Only It connects a role to one or more members to grant permissions. describes this connection; other options describe unrelated actions.

      3. Final Answer:

        It connects a role to one or more members to grant permissions. -> Option A

      4. Quick Check:

        IAM binding = role + members [OK]
      Hint: IAM binding links roles to members for permissions [OK]
      Common Mistakes:
      • Confusing IAM binding with project creation
      • Thinking IAM binding deletes users
      • Mixing IAM with network monitoring
      2. Which of the following is the correct syntax snippet to bind a role to a user in a GCP IAM policy JSON?
      easy
      A. {"roles": "roles/viewer", "members": ["user:alice@example.com"]}
      B. {"role": "roles/viewer", "member": "user:alice@example.com"}
      C. {"role": "roles/viewer", "members": "user:alice@example.com"}
      D. {"role": "roles/viewer", "members": ["user:alice@example.com"]}

      Solution

      1. Step 1: Check JSON key names

        The correct keys are 'role' and 'members'. 'members' must be a list even if one member.

      2. Step 2: Validate member format

        Member must be inside a list with correct prefix like 'user:'. {"role": "roles/viewer", "members": ["user:alice@example.com"]} matches this exactly.

      3. Final Answer:

        {"role": "roles/viewer", "members": ["user:alice@example.com"]} -> Option D

      4. Quick Check:

        Role + members list = correct syntax [OK]
      Hint: Members must be a list, even for one user [OK]
      Common Mistakes:
      • Using 'member' instead of 'members'
      • Not using a list for members
      • Swapping 'role' and 'roles' keys
      3. Given this IAM policy snippet, which member has the 'roles/editor' role? 
      {
  "bindings": [
    {
      "role": "roles/viewer",
      "members": ["user:bob@example.com"]
    },
    {
      "role": "roles/editor",
      "members": ["serviceAccount:app@project.iam.gserviceaccount.com"]
    }
  ]
}
      medium
      A. user:alice@example.com
      B. user:bob@example.com
      C. serviceAccount:app@project.iam.gserviceaccount.com
      D. group:admins@example.com

      Solution

      1. Step 1: Locate 'roles/editor' binding

        Look for the binding with role 'roles/editor' in the JSON; it has members list with one service account.

      2. Step 2: Identify member with 'roles/editor'

        The member is 'serviceAccount:app@project.iam.gserviceaccount.com'. Other members have different roles.

      3. Final Answer:

        serviceAccount:app@project.iam.gserviceaccount.com -> Option C

      4. Quick Check:

        Editor role assigned to service account [OK]
      Hint: Match role key to find correct member [OK]
      Common Mistakes:
      • Confusing roles/viewer with roles/editor
      • Picking a member not listed under the role
      • Ignoring service account prefix
      4. You have this IAM policy JSON snippet: 
      {
  "bindings": [
    {
      "role": "roles/storage.admin",
      "members": "user:carol@example.com"
    }
  ]
}
      What is wrong with this policy binding?
      medium
      A. The policy is missing a 'version' field.
      B. The 'members' field should be a list, not a string.
      C. The user email format is incorrect.
      D. The 'role' field is misspelled.

      Solution

      1. Step 1: Check 'members' field type

        The 'members' field must be a list of strings, not a single string.

      2. Step 2: Verify other fields

        'role' is correctly spelled, user email format is valid, and 'version' is optional.

      3. Final Answer:

        The 'members' field should be a list, not a string. -> Option B

      4. Quick Check:

        Members must be a list [OK]
      Hint: Members always need square brackets [] [OK]
      Common Mistakes:
      • Using string instead of list for members
      • Assuming 'version' is mandatory
      • Mistaking email format as error
      5. You want to grant the 'roles/logging.logWriter' role to all users in your organization except external users. Which IAM policy binding approach is best?
      hard
      A. Bind 'roles/logging.logWriter' to 'domain:yourcompany.com' member.
      B. Bind 'roles/logging.logWriter' to 'allAuthenticatedUsers' member.
      C. Bind 'roles/logging.logWriter' to 'allUsers' member.
      D. Bind 'roles/logging.logWriter' to 'user:external@example.com' member.

      Solution

      1. Step 1: Understand member types

        'allUsers' includes everyone, including external; 'allAuthenticatedUsers' includes any signed-in Google user; 'domain:' restricts to your company domain.

      2. Step 2: Choose member to exclude external users

        Using 'domain:yourcompany.com' grants access only to users in your company domain, excluding external users.

      3. Final Answer:

        Bind 'roles/logging.logWriter' to 'domain:yourcompany.com' member. -> Option A

      4. Quick Check:

        Domain member limits to internal users [OK]
      Hint: Use domain: to restrict to company users [OK]
      Common Mistakes:
      • Using allUsers exposes to everyone
      • Using allAuthenticatedUsers includes external Google accounts
      • Binding to single external user misses others