Bird
Raised Fist0
GCPcloud~10 mins

IAM policy binding in GCP - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to specify the role in the IAM policy binding.

GCP
{
  "role": "[1]",
  "members": ["user:alice@example.com"]
}
Drag options to blanks, or click blank then click option'
Aroles/storage.admin
Broles/editor
Croles/owner
Droles/viewer
Attempts:
3 left
💡 Hint
Common Mistakes
Choosing roles/editor or roles/owner when only read access is needed.
Using a storage-specific role when the task is general.
2fill in blank
medium

Complete the code to specify a member type in the IAM policy binding.

GCP
{
  "role": "roles/viewer",
  "members": ["[1]:bob@example.com"]
}
Drag options to blanks, or click blank then click option'
Auser
BserviceAccount
Cgroup
Ddomain
Attempts:
3 left
💡 Hint
Common Mistakes
Using group or domain when specifying a single user.
Using serviceAccount when the member is a user.
3fill in blank
hard

Fix the error in the IAM policy binding by completing the member string correctly.

GCP
{
  "role": "roles/storage.objectViewer",
  "members": ["[1]:my-service-account@project.iam.gserviceaccount.com"]
}
Drag options to blanks, or click blank then click option'
Auser
BserviceAccount
Cgroup
Ddomain
Attempts:
3 left
💡 Hint
Common Mistakes
Using user or group prefix for service account emails.
Omitting the prefix entirely.
4fill in blank
hard

Fill both blanks to create an IAM policy binding with a group member and the correct role.

GCP
{
  "role": "[1]",
  "members": ["[2]:admins@example.com"]
}
Drag options to blanks, or click blank then click option'
Aroles/editor
Buser
Cgroup
Droles/viewer
Attempts:
3 left
💡 Hint
Common Mistakes
Using user instead of group for a group email.
Choosing roles/viewer instead of roles/editor for editing access.
5fill in blank
hard

Fill both blanks to create an IAM policy binding with a domain member and a storage admin role.

GCP
{
  "role": "[1]",
  "members": ["[2]:example.com"]
}
Drag options to blanks, or click blank then click option'
Aroles/viewer
Buser
Cdomain
Droles/storage.admin
Attempts:
3 left
💡 Hint
Common Mistakes
Using user or group instead of domain for domain-wide access.
Choosing roles/viewer instead of roles/storage.admin for admin access.

Practice

(1/5)
1. What does an IAM policy binding do in Google Cloud?
easy
A. It connects a role to one or more members to grant permissions.
B. It creates a new Google Cloud project.
C. It deletes user accounts from the organization.
D. It monitors network traffic between services.

Solution

  1. Step 1: Understand IAM policy binding purpose

    An IAM policy binding links a role, which defines permissions, to members like users or service accounts.

  2. Step 2: Identify correct function

    Only It connects a role to one or more members to grant permissions. describes this connection; other options describe unrelated actions.

  3. Final Answer:

    It connects a role to one or more members to grant permissions. -> Option A

  4. Quick Check:

    IAM binding = role + members [OK]
Hint: IAM binding links roles to members for permissions [OK]
Common Mistakes:
  • Confusing IAM binding with project creation
  • Thinking IAM binding deletes users
  • Mixing IAM with network monitoring
2. Which of the following is the correct syntax snippet to bind a role to a user in a GCP IAM policy JSON?
easy
A. {"roles": "roles/viewer", "members": ["user:alice@example.com"]}
B. {"role": "roles/viewer", "member": "user:alice@example.com"}
C. {"role": "roles/viewer", "members": "user:alice@example.com"}
D. {"role": "roles/viewer", "members": ["user:alice@example.com"]}

Solution

  1. Step 1: Check JSON key names

    The correct keys are 'role' and 'members'. 'members' must be a list even if one member.

  2. Step 2: Validate member format

    Member must be inside a list with correct prefix like 'user:'. {"role": "roles/viewer", "members": ["user:alice@example.com"]} matches this exactly.

  3. Final Answer:

    {"role": "roles/viewer", "members": ["user:alice@example.com"]} -> Option D

  4. Quick Check:

    Role + members list = correct syntax [OK]
Hint: Members must be a list, even for one user [OK]
Common Mistakes:
  • Using 'member' instead of 'members'
  • Not using a list for members
  • Swapping 'role' and 'roles' keys
3. Given this IAM policy snippet, which member has the 'roles/editor' role? 
{
  "bindings": [
    {
      "role": "roles/viewer",
      "members": ["user:bob@example.com"]
    },
    {
      "role": "roles/editor",
      "members": ["serviceAccount:app@project.iam.gserviceaccount.com"]
    }
  ]
}
medium
A. user:alice@example.com
B. user:bob@example.com
C. serviceAccount:app@project.iam.gserviceaccount.com
D. group:admins@example.com

Solution

  1. Step 1: Locate 'roles/editor' binding

    Look for the binding with role 'roles/editor' in the JSON; it has members list with one service account.

  2. Step 2: Identify member with 'roles/editor'

    The member is 'serviceAccount:app@project.iam.gserviceaccount.com'. Other members have different roles.

  3. Final Answer:

    serviceAccount:app@project.iam.gserviceaccount.com -> Option C

  4. Quick Check:

    Editor role assigned to service account [OK]
Hint: Match role key to find correct member [OK]
Common Mistakes:
  • Confusing roles/viewer with roles/editor
  • Picking a member not listed under the role
  • Ignoring service account prefix
4. You have this IAM policy JSON snippet: 
{
  "bindings": [
    {
      "role": "roles/storage.admin",
      "members": "user:carol@example.com"
    }
  ]
}
What is wrong with this policy binding?
medium
A. The policy is missing a 'version' field.
B. The 'members' field should be a list, not a string.
C. The user email format is incorrect.
D. The 'role' field is misspelled.

Solution

  1. Step 1: Check 'members' field type

    The 'members' field must be a list of strings, not a single string.

  2. Step 2: Verify other fields

    'role' is correctly spelled, user email format is valid, and 'version' is optional.

  3. Final Answer:

    The 'members' field should be a list, not a string. -> Option B

  4. Quick Check:

    Members must be a list [OK]
Hint: Members always need square brackets [] [OK]
Common Mistakes:
  • Using string instead of list for members
  • Assuming 'version' is mandatory
  • Mistaking email format as error
5. You want to grant the 'roles/logging.logWriter' role to all users in your organization except external users. Which IAM policy binding approach is best?
hard
A. Bind 'roles/logging.logWriter' to 'domain:yourcompany.com' member.
B. Bind 'roles/logging.logWriter' to 'allAuthenticatedUsers' member.
C. Bind 'roles/logging.logWriter' to 'allUsers' member.
D. Bind 'roles/logging.logWriter' to 'user:external@example.com' member.

Solution

  1. Step 1: Understand member types

    'allUsers' includes everyone, including external; 'allAuthenticatedUsers' includes any signed-in Google user; 'domain:' restricts to your company domain.

  2. Step 2: Choose member to exclude external users

    Using 'domain:yourcompany.com' grants access only to users in your company domain, excluding external users.

  3. Final Answer:

    Bind 'roles/logging.logWriter' to 'domain:yourcompany.com' member. -> Option A

  4. Quick Check:

    Domain member limits to internal users [OK]
Hint: Use domain: to restrict to company users [OK]
Common Mistakes:
  • Using allUsers exposes to everyone
  • Using allAuthenticatedUsers includes external Google accounts
  • Binding to single external user misses others