Complete the code to assign the minimum required role to a user in GCP IAM.
resource = client.project_iam_policy('projects/my-project') policy = resource.get() policy.bindings.append({ 'role': '[1]', 'members': ['user:alice@example.com'] }) resource.set(policy)
The roles/viewer role grants read-only access, following the least privilege principle by giving only necessary permissions.
Complete the code to create a custom IAM role with only the necessary permission to read storage buckets.
custom_role = {
'title': 'StorageReadOnly',
'permissions': ['[1]'],
'stage': 'GA'
}The permission storage.buckets.get allows reading bucket metadata, which is needed for read-only access.
Fix the error in the policy binding to follow the least privilege principle by assigning the correct role for Pub/Sub topic publishing.
policy.bindings.append({ 'role': '[1]', 'members': ['serviceAccount:my-service-account@my-project.iam.gserviceaccount.com'] })The roles/pubsub.publisher role grants only the permissions needed to publish messages to a Pub/Sub topic, following least privilege.
Fill both blanks to create an IAM policy that grants a user read access to BigQuery datasets but no write access.
policy.bindings.append({ 'role': '[1]', 'members': ['user:bob@example.com'] })
policy.bindings.append({ 'role': '[2]', 'members': ['user:bob@example.com'] })roles/bigquery.dataViewer grants read access to datasets, and roles/bigquery.jobUser allows running jobs without write permissions, following least privilege.
Fill all three blanks to define a firewall rule that allows only SSH access from a specific IP range, following least privilege.
firewall_rule = {
'name': 'allow-ssh',
'allowed': [
{
'IPProtocol': '[1]',
'ports': ['[2]']
}
],
'sourceRanges': ['[3]']
}The firewall rule allows tcp protocol on port 22 (SSH) only from the IP range 192.168.1.0/24, limiting access as per least privilege.