Challenge - 5 Problems
Master of Members in GCP IAM
Get all challenges correct to earn this badge!
Test your skills under time pressure!
β service_behavior
intermediate1:30remaining
Identify the member type from the IAM policy binding
Given the following IAM policy binding member string, what type of member does it represent?
serviceAccount:my-service-account@my-project.iam.gserviceaccount.comAttempts:
2 left
π‘ Hint
Look at the prefix before the colon in the member string.
β Incorrect
The prefix 'serviceAccount:' indicates the member is a service account, which is a special account used by applications or virtual machines to interact with Google Cloud services.
π§ Conceptual
intermediate1:30remaining
Understanding group members in IAM policies
Which of the following member strings correctly represents a Google group in an IAM policy binding?
Attempts:
2 left
π‘ Hint
Groups have a specific prefix in the member string.
β Incorrect
The prefix 'group:' identifies the member as a Google group, which can contain multiple users and service accounts.
β security
advanced2:00remaining
Least privilege principle with service accounts
You want to grant a Compute Engine VM the ability to read from a Cloud Storage bucket. Which member should you add to the bucket's IAM policy to follow the least privilege principle?
Attempts:
2 left
π‘ Hint
Grant permissions only to the entity that needs access, not to broad groups or domains.
β Incorrect
Granting the service account associated with the VM limits access to only that VM, following the least privilege principle.
β Architecture
advanced2:00remaining
Choosing the right member type for automated workflows
You have an automated workflow running on Cloud Functions that needs to access BigQuery data. Which member type should you assign permissions to for best practice?
Attempts:
2 left
π‘ Hint
Automated workflows should use identities that represent the service, not individual users or broad groups.
β Incorrect
Using a service account for Cloud Functions allows fine-grained control and better security for automated workflows.
β
Best Practice
expert2:30remaining
Managing access with Google Workspace domains in IAM
You want to grant read access to all users in your companyβs Google Workspace domain to a Cloud Storage bucket. Which member string should you use in the IAM policy binding?
Attempts:
2 left
π‘ Hint
Think about how to grant access to everyone in a domain without listing individual users or groups.
β Incorrect
Using 'domain:example.com' grants access to all users in that Google Workspace domain, which is efficient for company-wide permissions.