Bird
Raised Fist0
GCPcloud~20 mins

Members (users, groups, service accounts) in GCP - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
πŸŽ–οΈ
Master of Members in GCP IAM
Get all challenges correct to earn this badge!
Test your skills under time pressure!
❓ service_behavior
intermediate
1:30remaining
Identify the member type from the IAM policy binding
Given the following IAM policy binding member string, what type of member does it represent?

serviceAccount:my-service-account@my-project.iam.gserviceaccount.com
AA Google group
BA user account
CA service account
DA Google Workspace domain
Attempts:
2 left
πŸ’‘ Hint
Look at the prefix before the colon in the member string.
🧠 Conceptual
intermediate
1:30remaining
Understanding group members in IAM policies
Which of the following member strings correctly represents a Google group in an IAM policy binding?
Auser:alice@example.com
Bdomain:example.com
CserviceAccount:app@project.iam.gserviceaccount.com
Dgroup:dev-team@example.com
Attempts:
2 left
πŸ’‘ Hint
Groups have a specific prefix in the member string.
❓ security
advanced
2:00remaining
Least privilege principle with service accounts
You want to grant a Compute Engine VM the ability to read from a Cloud Storage bucket. Which member should you add to the bucket's IAM policy to follow the least privilege principle?
AserviceAccount:my-vm@my-project.iam.gserviceaccount.com
Buser:admin@example.com
Cgroup:developers@example.com
Ddomain:example.com
Attempts:
2 left
πŸ’‘ Hint
Grant permissions only to the entity that needs access, not to broad groups or domains.
❓ Architecture
advanced
2:00remaining
Choosing the right member type for automated workflows
You have an automated workflow running on Cloud Functions that needs to access BigQuery data. Which member type should you assign permissions to for best practice?
AserviceAccount:cloud-functions-sa@my-project.iam.gserviceaccount.com
Buser:workflow-owner@example.com
Cgroup:data-analysts@example.com
Ddomain:example.com
Attempts:
2 left
πŸ’‘ Hint
Automated workflows should use identities that represent the service, not individual users or broad groups.
βœ… Best Practice
expert
2:30remaining
Managing access with Google Workspace domains in IAM
You want to grant read access to all users in your company’s Google Workspace domain to a Cloud Storage bucket. Which member string should you use in the IAM policy binding?
Auser:all@example.com
Bdomain:example.com
Cgroup:all@example.com
DserviceAccount:all@example.com
Attempts:
2 left
πŸ’‘ Hint
Think about how to grant access to everyone in a domain without listing individual users or groups.

Practice

(1/5)
1. Which of the following is a correct way to specify a user as a member in GCP IAM?
easy
A. user:alice@example.com
B. serviceaccount:alice@example.com
C. group:alice@example.com
D. member:alice@example.com

Solution

  1. Step 1: Understand member types in GCP IAM

    GCP IAM requires a prefix to identify the member type, such as user, group, or serviceaccount.

  2. Step 2: Identify the correct prefix for a user

    The prefix for an individual user is user:. So the correct format is user:email.

  3. Final Answer:

    user:alice@example.com -> Option A

  4. Quick Check:

    User members start with 'user:' [OK]
Hint: User members always start with 'user:' prefix [OK]
Common Mistakes:
  • Using 'member:' prefix which is invalid
  • Confusing group and user prefixes
  • Using serviceaccount prefix for users
2. Which of the following is the correct syntax to specify a service account member in GCP IAM?
easy
A. service-account:my-service@project.iam.gserviceaccount.com
B. serviceaccount:my-service@project.iam.gserviceaccount.com
C. group:my-service@project.iam.gserviceaccount.com
D. user:my-service@project.iam.gserviceaccount.com

Solution

  1. Step 1: Recall the prefix for service accounts

    Service accounts use the prefix serviceaccount: followed by the full service account email.

  2. Step 2: Check each option's prefix

    Only serviceaccount:my-service@project.iam.gserviceaccount.com uses the correct prefix serviceaccount: without hyphens or mistakes.

  3. Final Answer:

    serviceaccount:my-service@project.iam.gserviceaccount.com -> Option B

  4. Quick Check:

    Service accounts use 'serviceaccount:' prefix [OK]
Hint: Service accounts use 'serviceaccount:' prefix without hyphens [OK]
Common Mistakes:
  • Using 'service-account:' with a hyphen
  • Using 'user:' prefix for service accounts
  • Using incomplete email addresses
3. Given the following IAM policy binding snippet, which member will have access?
{"role": "roles/viewer", "members": ["group:dev-team@example.com", "user:bob@example.com"]}
medium
A. Only users in the dev-team group and Bob
B. Only Bob
C. Only the dev-team group
D. All users in the project

Solution

  1. Step 1: Analyze the members list in the policy

    The members list includes group:dev-team@example.com and user:bob@example.com. Both are granted the role.

  2. Step 2: Understand access granted by group and user members

    All users in the dev-team group plus the individual user Bob have the role permissions.

  3. Final Answer:

    Only users in the dev-team group and Bob -> Option A

  4. Quick Check:

    Group and user members both get access [OK]
Hint: Group members grant access to all group users [OK]
Common Mistakes:
  • Assuming only one member gets access
  • Confusing group with user access scope
  • Thinking all project users get access
4. You tried to add a member with user:alice to an IAM policy but got an error. What is the likely cause?
medium
A. IAM policy does not support user members
B. Using 'user:' prefix instead of 'group:'
C. Service account email used instead of user email
D. Missing full email address after 'user:' prefix

Solution

  1. Step 1: Check the required format for user members

    User members must include the full email address after the user: prefix.

  2. Step 2: Identify the error cause

    Using just user:alice is incomplete and causes a format error.

  3. Final Answer:

    Missing full email address after 'user:' prefix -> Option D

  4. Quick Check:

    User members need full email [OK]
Hint: Always include full email after 'user:' [OK]
Common Mistakes:
  • Using only username without domain
  • Confusing user and group prefixes
  • Assuming IAM rejects user members
5. You want to grant a Cloud Function access to a Pub/Sub topic using a service account. Which member string should you add to the Pub/Sub IAM policy?
hard
A. group:cloud-function-sa@project.iam.gserviceaccount.com
B. user:cloud-function-sa@project.iam.gserviceaccount.com
C. serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com
D. service-account:cloud-function-sa@project.iam.gserviceaccount.com

Solution

  1. Step 1: Identify the correct member type for Cloud Function access

    Cloud Functions use service accounts to access other resources, so the member must be a service account.

  2. Step 2: Use the correct prefix for service accounts

    The prefix is serviceaccount: followed by the full service account email.

  3. Step 3: Verify the options

    Only serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com uses the correct prefix and format.

  4. Final Answer:

    serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com -> Option C

  5. Quick Check:

    Service accounts use 'serviceaccount:' prefix [OK]
Hint: Use 'serviceaccount:' prefix for Cloud Function identities [OK]
Common Mistakes:
  • Using 'user:' prefix for service accounts
  • Adding group instead of service account
  • Using incorrect prefix with hyphen