Bird
Raised Fist0
GCPcloud~5 mins

Members (users, groups, service accounts) in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a 'user' in Google Cloud Platform (GCP)?
A user is an individual person who has a Google account and can access GCP resources with permissions assigned to their account.
Click to reveal answer
beginner
What is a 'group' in GCP IAM?
A group is a collection of users managed together. Assigning permissions to a group applies those permissions to all users in that group.
Click to reveal answer
beginner
What is a 'service account' in GCP?
A service account is a special account used by applications or virtual machines to access GCP resources securely without user intervention.
Click to reveal answer
intermediate
Why use groups instead of assigning permissions to individual users?
Groups simplify management by letting you assign permissions once to many users, making it easier to add or remove users without changing permissions repeatedly.
Click to reveal answer
intermediate
How do service accounts improve security in GCP?
Service accounts allow applications to have their own identity with limited permissions, reducing risk by not using user credentials and enabling fine-grained access control.
Click to reveal answer
Which member type in GCP is best for an application to access resources securely?
AUser
BService Account
CDomain
DGroup
What happens when you assign a role to a group in GCP IAM?
AAll users in the group get the role permissions
BOnly the group owner gets the role
CThe role is assigned to all users in the project
DThe role is assigned to service accounts only
Which of these is NOT a valid member type in GCP IAM?
AUser
BService Account
CVirtual Machine
DGroup
Why should you avoid using user accounts for automated tasks in GCP?
AUser accounts cannot access GCP
BUser accounts expire quickly
CUser accounts have no permissions
DUser credentials can be less secure and harder to manage for automation
What is the main benefit of using groups in GCP IAM?
AGroups simplify permission management for multiple users
BGroups are used to store data
CGroups can run virtual machines
DGroups replace service accounts
Explain the differences between users, groups, and service accounts in GCP IAM.
Think about who or what needs access and how they are managed.
You got /3 concepts.
    Describe why service accounts are important for security in GCP.
    Consider automated tasks and how they should access resources safely.
    You got /3 concepts.

      Practice

      (1/5)
      1. Which of the following is a correct way to specify a user as a member in GCP IAM?
      easy
      A. user:alice@example.com
      B. serviceaccount:alice@example.com
      C. group:alice@example.com
      D. member:alice@example.com

      Solution

      1. Step 1: Understand member types in GCP IAM

        GCP IAM requires a prefix to identify the member type, such as user, group, or serviceaccount.

      2. Step 2: Identify the correct prefix for a user

        The prefix for an individual user is user:. So the correct format is user:email.

      3. Final Answer:

        user:alice@example.com -> Option A

      4. Quick Check:

        User members start with 'user:' [OK]
      Hint: User members always start with 'user:' prefix [OK]
      Common Mistakes:
      • Using 'member:' prefix which is invalid
      • Confusing group and user prefixes
      • Using serviceaccount prefix for users
      2. Which of the following is the correct syntax to specify a service account member in GCP IAM?
      easy
      A. service-account:my-service@project.iam.gserviceaccount.com
      B. serviceaccount:my-service@project.iam.gserviceaccount.com
      C. group:my-service@project.iam.gserviceaccount.com
      D. user:my-service@project.iam.gserviceaccount.com

      Solution

      1. Step 1: Recall the prefix for service accounts

        Service accounts use the prefix serviceaccount: followed by the full service account email.

      2. Step 2: Check each option's prefix

        Only serviceaccount:my-service@project.iam.gserviceaccount.com uses the correct prefix serviceaccount: without hyphens or mistakes.

      3. Final Answer:

        serviceaccount:my-service@project.iam.gserviceaccount.com -> Option B

      4. Quick Check:

        Service accounts use 'serviceaccount:' prefix [OK]
      Hint: Service accounts use 'serviceaccount:' prefix without hyphens [OK]
      Common Mistakes:
      • Using 'service-account:' with a hyphen
      • Using 'user:' prefix for service accounts
      • Using incomplete email addresses
      3. Given the following IAM policy binding snippet, which member will have access?
      {"role": "roles/viewer", "members": ["group:dev-team@example.com", "user:bob@example.com"]}
      medium
      A. Only users in the dev-team group and Bob
      B. Only Bob
      C. Only the dev-team group
      D. All users in the project

      Solution

      1. Step 1: Analyze the members list in the policy

        The members list includes group:dev-team@example.com and user:bob@example.com. Both are granted the role.

      2. Step 2: Understand access granted by group and user members

        All users in the dev-team group plus the individual user Bob have the role permissions.

      3. Final Answer:

        Only users in the dev-team group and Bob -> Option A

      4. Quick Check:

        Group and user members both get access [OK]
      Hint: Group members grant access to all group users [OK]
      Common Mistakes:
      • Assuming only one member gets access
      • Confusing group with user access scope
      • Thinking all project users get access
      4. You tried to add a member with user:alice to an IAM policy but got an error. What is the likely cause?
      medium
      A. IAM policy does not support user members
      B. Using 'user:' prefix instead of 'group:'
      C. Service account email used instead of user email
      D. Missing full email address after 'user:' prefix

      Solution

      1. Step 1: Check the required format for user members

        User members must include the full email address after the user: prefix.

      2. Step 2: Identify the error cause

        Using just user:alice is incomplete and causes a format error.

      3. Final Answer:

        Missing full email address after 'user:' prefix -> Option D

      4. Quick Check:

        User members need full email [OK]
      Hint: Always include full email after 'user:' [OK]
      Common Mistakes:
      • Using only username without domain
      • Confusing user and group prefixes
      • Assuming IAM rejects user members
      5. You want to grant a Cloud Function access to a Pub/Sub topic using a service account. Which member string should you add to the Pub/Sub IAM policy?
      hard
      A. group:cloud-function-sa@project.iam.gserviceaccount.com
      B. user:cloud-function-sa@project.iam.gserviceaccount.com
      C. serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com
      D. service-account:cloud-function-sa@project.iam.gserviceaccount.com

      Solution

      1. Step 1: Identify the correct member type for Cloud Function access

        Cloud Functions use service accounts to access other resources, so the member must be a service account.

      2. Step 2: Use the correct prefix for service accounts

        The prefix is serviceaccount: followed by the full service account email.

      3. Step 3: Verify the options

        Only serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com uses the correct prefix and format.

      4. Final Answer:

        serviceaccount:cloud-function-sa@project.iam.gserviceaccount.com -> Option C

      5. Quick Check:

        Service accounts use 'serviceaccount:' prefix [OK]
      Hint: Use 'serviceaccount:' prefix for Cloud Function identities [OK]
      Common Mistakes:
      • Using 'user:' prefix for service accounts
      • Adding group instead of service account
      • Using incorrect prefix with hyphen