Bird
Raised Fist0
GCPcloud~30 mins

Members (users, groups, service accounts) in GCP - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Manage GCP IAM Members
📖 Scenario: You are setting up access control for a Google Cloud project. You need to manage members such as users, groups, and service accounts by adding them to the project's IAM policy.
🎯 Goal: Build a simple IAM policy configuration that includes specific members with their roles for a Google Cloud project.
📋 What You'll Learn
Create a dictionary called members with exact member emails and their roles
Add a variable called project_id with the exact project ID string
Write a function called build_iam_policy that returns the IAM policy dictionary with bindings
Add the final line that calls build_iam_policy() and assigns it to iam_policy
💡 Why This Matters
🌍 Real World
Managing IAM members and roles is essential for controlling access to cloud resources securely and efficiently.
💼 Career
Cloud engineers and administrators regularly configure IAM policies to enforce security and compliance in cloud environments.
Progress0 / 4 steps
1
Create the initial members dictionary
Create a dictionary called members with these exact entries: 'user:alice@example.com': 'roles/viewer', 'group:devs@example.com': 'roles/editor', and 'serviceAccount:my-service@project.iam.gserviceaccount.com': 'roles/owner'.
GCP
Hint

Use a Python dictionary with member strings as keys and role strings as values.

2
Add the project ID variable
Add a variable called project_id and set it exactly to 'my-gcp-project'.
GCP
Hint

Assign the exact string to project_id.

3
Write the function to build IAM policy
Write a function called build_iam_policy that returns a dictionary with a bindings key. The value should be a list of dictionaries, each with keys role and members. Group members by their roles from the members dictionary.
GCP
Hint

Use a dictionary to group members by role, then build the bindings list.

4
Assign the IAM policy to a variable
Add a line that calls build_iam_policy() and assigns the result to a variable called iam_policy.
GCP
Hint

Call the function and assign its return value to iam_policy.

Practice

(1/5)
1. Which of the following is a correct way to specify a user as a member in GCP IAM?
easy
A. user:alice@example.com
B. serviceaccount:alice@example.com
C. group:alice@example.com
D. member:alice@example.com

Solution

  1. Step 1: Understand member types in GCP IAM

    GCP IAM requires a prefix to identify the member type, such as user, group, or serviceaccount.

  2. Step 2: Identify the correct prefix for a user

    The prefix for an individual user is user:. So the correct format is user:email.

  3. Final Answer:

    user:alice@example.com -> Option A

  4. Quick Check:

    User members start with 'user:' [OK]
Hint: User members always start with 'user:' prefix [OK]
Common Mistakes:
  • Using 'member:' prefix which is invalid
  • Confusing group and user prefixes
  • Using serviceaccount prefix for users
2. Which of the following is the correct syntax to specify a service account member in GCP IAM?
easy
A. service-account:my-service@project.iam.gserviceaccount.com
B. serviceaccount:my-service@project.iam.gserviceaccount.com
C. group:my-service@project.iam.gserviceaccount.com
D. user:my-service@project.iam.gserviceaccount.com

Solution

  1. Step 1: Recall the prefix for service accounts

    Service accounts use the prefix serviceaccount: followed by the full service account email.

  2. Step 2: Check each option's prefix

    Only serviceaccount:my-service@project.iam.gserviceaccount.com uses the correct prefix serviceaccount: without hyphens or mistakes.

  3. Final Answer:

    serviceaccount:my-service@project.iam.gserviceaccount.com -> Option B

  4. Quick Check:

    Service accounts use 'serviceaccount:' prefix [OK]
Hint: Service accounts use 'serviceaccount:' prefix without hyphens [OK]
Common Mistakes:
  • Using 'service-account:' with a hyphen
  • Using 'user:' prefix for service accounts
  • Using incomplete email addresses
3. Given the following IAM policy binding snippet, which member will have access?
{"role": "roles/viewer", "members": ["group:dev-team@example.com", "user:bob@example.com"]}
medium
A. Only users in the dev-team group and Bob
B. Only Bob
C. Only the dev-team group
D. All users in the project

Solution

  1. Step 1: Analyze the members list in the policy

    The members list includes group:dev-team@example.com and user:bob@example.com. Both are granted the role.

  2. Step 2: Understand access granted by group and user members

    All users in the dev-team group plus the individual user Bob have the role permissions.

  3. Final Answer:

    Only users in the dev-team group and Bob -> Option A

  4. Quick Check:

    Group and user members both get access [OK]
Hint: Group members grant access to all group users [OK]
Common Mistakes:
  • Assuming only one member gets access
  • Confusing group with user access scope
  • Thinking all project users get access
4. You tried to add a member with user:alice to an IAM policy but got an error. What is the likely cause?
medium
A. IAM policy does not support user members
B. Using 'user:' prefix instead of 'group:'
C. Service account email used instead of user email
D. Missing full email address after 'user:' prefix

Solution

  1. Step 1: Check the required format for user members

    User members must include the full email address after the user: prefix.

  2. Step 2: Identify the error cause

    Using just user:alice is incomplete and causes a format error.

  3. Final Answer:

    Missing full email address after 'user:' prefix -> Option D

  4. Quick Check:

    User members need full email [OK]
Hint: Always include full email after 'user:' [OK]
Common Mistakes:
  • Using only username without domain
  • Confusing user and group prefixes
  • Assuming IAM rejects user members
5. You want to grant a Cloud Function access to a Pub/Sub topic using a service account. Which member string should you add to the Pub/Sub IAM policy?
hard
A. group:cloud-function-sa@project.iam.gserviceaccount.com
B. user:cloud-function-sa@project.iam.gserviceaccount.com
C. serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com
D. service-account:cloud-function-sa@project.iam.gserviceaccount.com

Solution

  1. Step 1: Identify the correct member type for Cloud Function access

    Cloud Functions use service accounts to access other resources, so the member must be a service account.

  2. Step 2: Use the correct prefix for service accounts

    The prefix is serviceaccount: followed by the full service account email.

  3. Step 3: Verify the options

    Only serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com uses the correct prefix and format.

  4. Final Answer:

    serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com -> Option C

  5. Quick Check:

    Service accounts use 'serviceaccount:' prefix [OK]
Hint: Use 'serviceaccount:' prefix for Cloud Function identities [OK]
Common Mistakes:
  • Using 'user:' prefix for service accounts
  • Adding group instead of service account
  • Using incorrect prefix with hyphen