GCPcloud~30 mins

Least privilege principle in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Implementing Least Privilege Principle in GCP IAM

📖 Scenario: You are managing access to a Google Cloud Platform (GCP) project. To keep your project secure, you want to follow the least privilege principle. This means giving users only the permissions they need to do their job, nothing more.Imagine you have a team member who needs to view storage buckets but should not change or delete anything.

🎯 Goal: Build a simple IAM policy that grants a user the minimum permissions needed to view storage buckets in a GCP project.

📋 What You'll Learn

Create a dictionary called iam_policy representing the IAM policy.

Add a bindings list inside iam_policy.

Add a binding that grants the role roles/storage.objectViewer to the member user:viewer@example.com.

Ensure the policy follows the least privilege principle by granting only the necessary role.

💡 Why This Matters

🌍 Real World

IAM policies control who can do what in your cloud projects. Using least privilege helps keep your cloud resources safe from accidental or malicious changes.

💼 Career

Cloud engineers and security specialists regularly create and manage IAM policies to enforce security best practices in cloud environments.

Progress0 / 4 steps

Create the initial IAM policy dictionary

Create a dictionary called iam_policy with an empty list for the key bindings.

GCP

# Create the iam_policy dictionary with an empty bindings list
# Your code here

Need a hint?

Use curly braces {} to create a dictionary and set "bindings" to an empty list [].

Add a binding for the storage object viewer role

Add a dictionary to the bindings list inside iam_policy. This dictionary should have the key role with the value "roles/storage.objectViewer" and the key members with a list containing "user:viewer@example.com".

GCP

iam_policy = {
    "bindings": []
}
# Add a binding dictionary to iam_policy["bindings"] list
# Your code here

Need a hint?

Append a dictionary with keys role and members to the bindings list.

Verify the IAM policy structure

Use a for loop with variables binding to iterate over iam_policy["bindings"] and check that each binding has the keys role and members.

GCP

iam_policy = {
    "bindings": [
        {
            "role": "roles/storage.objectViewer",
            "members": ["user:viewer@example.com"]
        }
    ]
}
# Use a for loop to iterate over iam_policy["bindings"] and check keys
# Your code here

Need a hint?

Use for binding in iam_policy["bindings"]: and check keys with "role" in binding.

Complete the IAM policy with version and etag

Add the keys version with value 1 and etag with value "BwWWja0YfJA=" to the iam_policy dictionary to complete the policy structure.

GCP

iam_policy = {
    "bindings": [
        {
            "role": "roles/storage.objectViewer",
            "members": ["user:viewer@example.com"]
        }
    ]
}

for binding in iam_policy["bindings"]:
    if "role" in binding and "members" in binding:
        pass
# Add version and etag keys to iam_policy
# Your code here

Need a hint?

Add "version": 1 and "etag": "BwWWja0YfJA=" keys to the iam_policy dictionary.