Bird
Raised Fist0
GCPcloud~20 mins

Roles (basic, predefined, custom) in GCP - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
GCP Roles Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding Basic Roles in GCP

Which of the following statements correctly describes the basic roles in Google Cloud Platform?

ABasic roles are custom roles created by users to grant specific permissions tailored to their needs.
BBasic roles include Owner, Editor, and Viewer, and they grant broad permissions across all resources in a project.
CBasic roles are deprecated and no longer available in GCP.
DBasic roles are predefined roles that only apply to specific services like Compute Engine or Cloud Storage.
Attempts:
2 left
💡 Hint

Think about roles that apply broadly across a whole project.

🧠 Conceptual
intermediate
2:00remaining
Predefined Roles Purpose

What is the main purpose of predefined roles in Google Cloud Platform?

ATo provide very broad permissions that apply to all resources in a project.
BTo allow users to create their own roles with any permissions they want.
CTo grant permissions tailored to specific GCP services or tasks, offering more granularity than basic roles.
DTo replace custom roles and remove the need for user-defined permissions.
Attempts:
2 left
💡 Hint

Think about roles designed for specific services or tasks.

Architecture
advanced
2:30remaining
Choosing Role Types for a Secure Project

You are designing access control for a GCP project. You want to follow the principle of least privilege and allow users to perform only necessary actions on Compute Engine and Cloud Storage. Which role types should you assign?

AAssign basic roles like Editor to all users for simplicity.
BCreate custom roles with all permissions and assign them to users.
CAssign Owner role to all users to avoid permission issues.
DAssign predefined roles specific to Compute Engine and Cloud Storage to users based on their tasks.
Attempts:
2 left
💡 Hint

Think about limiting permissions to only what is needed.

security
advanced
2:00remaining
Custom Roles and Permission Management

Which statement about custom roles in GCP is true?

ACustom roles allow you to combine permissions from multiple predefined roles to fit specific needs.
BCustom roles can only include permissions from basic roles.
CCustom roles automatically update when new permissions are added to GCP services.
DCustom roles cannot be assigned to users or service accounts.
Attempts:
2 left
💡 Hint

Consider how custom roles help tailor permissions.

service_behavior
expert
2:30remaining
Effect of Assigning Multiple Roles

If a user is assigned both a predefined role with read-only permissions on Cloud Storage and a custom role with write permissions on the same service, what will be the user's effective permissions?

AThe user will have both read and write permissions combined from both roles.
BThe user will have write permissions only, as custom roles replace predefined roles.
CThe user will have only read-only permissions because predefined roles override custom roles.
DThe user will have no permissions due to conflict between roles.
Attempts:
2 left
💡 Hint

Think about how permissions from multiple roles combine.

Practice

(1/5)
1. Which type of Google Cloud role provides broad access across all services with simple permissions like Owner, Editor, and Viewer?
easy
A. Predefined roles
B. Basic roles
C. Custom roles
D. Service accounts

Solution

  1. Step 1: Understand role categories

    Google Cloud has three main role types: basic, predefined, and custom.

  2. Step 2: Identify broad access roles

    Basic roles like Owner, Editor, and Viewer provide broad access across all services.

  3. Final Answer:

    Basic roles -> Option B

  4. Quick Check:

    Broad access = Basic roles [OK]
Hint: Basic roles cover broad access across all services [OK]
Common Mistakes:
  • Confusing predefined roles with basic roles
  • Thinking custom roles are broad by default
  • Mixing service accounts with roles
2. Which of the following is the correct way to create a custom role in Google Cloud IAM?
easy
A. Use the gcloud CLI with 'gcloud iam roles create' and specify permissions
B. Assign a predefined role to a user
C. Use the Google Cloud Console to assign a basic role
D. Create a service account with custom permissions

Solution

  1. Step 1: Identify how to create custom roles

    Custom roles require specifying exact permissions and are created via CLI or console.

  2. Step 2: Match correct command

    The 'gcloud iam roles create' command is used to create custom roles with specific permissions.

  3. Final Answer:

    Use the gcloud CLI with 'gcloud iam roles create' and specify permissions -> Option A

  4. Quick Check:

    Create custom role = gcloud iam roles create [OK]
Hint: Custom roles need explicit creation with permissions via CLI [OK]
Common Mistakes:
  • Confusing assigning roles with creating roles
  • Using service accounts to create roles
  • Assigning basic roles instead of creating custom ones
3. Given this snippet assigning roles to a user: 
gcloud projects add-iam-policy-binding my-project \
  --member='user:alice@example.com' \
  --role='roles/storage.objectViewer'
What type of role is 'roles/storage.objectViewer'?
medium
A. Basic role
B. Custom role
C. Service account role
D. Predefined role

Solution

  1. Step 1: Analyze the role name format

    The role name 'roles/storage.objectViewer' follows the predefined role naming pattern.

  2. Step 2: Understand role types

    Predefined roles are specific to services and have names like 'roles/serviceName.roleName'.

  3. Final Answer:

    Predefined role -> Option D

  4. Quick Check:

    roles/storage.objectViewer = Predefined role [OK]
Hint: Predefined roles have service-specific names like roles/service.role [OK]
Common Mistakes:
  • Thinking all roles starting with 'roles/' are basic
  • Confusing custom roles with predefined roles
  • Assuming service accounts have roles
4. A user tries to create a custom role but gets an error. The command used is: 
gcloud iam roles create myCustomRole --project=my-project --permissions=storage.buckets.list,compute.instances.create
What is the likely cause of the error?
medium
A. The command is missing the role title and description
B. Permissions must be comma-separated without spaces
C. The project ID is incorrect
D. Custom roles cannot include permissions from multiple services

Solution

  1. Step 1: Review required parameters for custom role creation

    Creating a custom role requires a title and description along with permissions.

  2. Step 2: Check the command for missing parameters

    The command lacks '--title' and '--description' flags, causing the error.

  3. Final Answer:

    The command is missing the role title and description -> Option A

  4. Quick Check:

    Missing title/description causes create role error [OK]
Hint: Always include title and description when creating custom roles [OK]
Common Mistakes:
  • Assuming permissions from multiple services are invalid
  • Ignoring required flags like title and description
  • Mistaking project ID errors for permission errors
5. You want to give a team member permission to manage only Compute Engine instances but no other services. Which role type should you assign and why?
hard
A. Custom role with all permissions, to cover all possible needs
B. Basic role Editor, because it covers all services including Compute Engine
C. Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only
D. Basic role Viewer, because it allows managing instances

Solution

  1. Step 1: Understand the requirement

    The team member needs permissions only for Compute Engine, not other services.

  2. Step 2: Evaluate role types

    Basic roles are broad and cover all services; custom roles require manual permission selection; predefined roles offer service-specific permissions.

  3. Step 3: Choose the best fit

    The predefined Compute Engine Admin role grants full Compute Engine permissions without extra access.

  4. Final Answer:

    Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only -> Option C

  5. Quick Check:

    Service-specific access = Predefined role [OK]
Hint: Use predefined roles for service-specific permissions [OK]
Common Mistakes:
  • Using broad basic roles instead of specific predefined roles
  • Assigning Viewer role expecting management permissions
  • Creating unnecessary custom roles without need