Bird
Raised Fist0
GCPcloud~5 mins

Roles (basic, predefined, custom) in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a basic role in Google Cloud Platform (GCP)?
A basic role is a broad set of permissions that apply across all GCP services. Examples include Owner, Editor, and Viewer. They are simple but give wide access.
Click to reveal answer
beginner
How do predefined roles differ from basic roles in GCP?
Predefined roles are more specific than basic roles. They grant permissions tailored to particular services or tasks, helping follow the principle of least privilege.
Click to reveal answer
intermediate
What is a custom role in GCP and why use it?
A custom role is a user-created role with a specific set of permissions chosen to fit unique needs. It helps give only the exact permissions needed, improving security.
Click to reveal answer
beginner
Name the three basic roles in GCP and their main permission levels.
Owner: full control including billing and permissions management. Editor: can modify resources but not manage permissions. Viewer: read-only access to resources.
Click to reveal answer
intermediate
Why is it recommended to avoid using basic roles when possible?
Because basic roles grant broad permissions, they can expose resources to unnecessary risk. Using predefined or custom roles limits access to only what is needed.
Click to reveal answer
Which GCP role type provides the broadest access across all services?
ACustom roles
BPredefined roles
CBasic roles
DNo roles
What is the main advantage of predefined roles over basic roles?
AThey are easier to create
BThey cannot be assigned to users
CThey grant full access to billing
DThey provide more specific permissions
Which role type allows you to create a role with exactly the permissions you want?
APredefined roles
BCustom roles
CBasic roles
DNo roles
Which basic role in GCP can only view resources but not change them?
AViewer
BEditor
CCustom
DOwner
Why should you prefer predefined or custom roles over basic roles?
AThey reduce security risks by limiting permissions
BThey are easier to assign
CThey grant more permissions
DThey are free
Explain the differences between basic, predefined, and custom roles in GCP.
Think about how much access each role type gives and how specific they are.
You got /3 concepts.
    Why is it important to use predefined or custom roles instead of basic roles in a cloud project?
    Consider the risks of giving too much access.
    You got /3 concepts.

      Practice

      (1/5)
      1. Which type of Google Cloud role provides broad access across all services with simple permissions like Owner, Editor, and Viewer?
      easy
      A. Predefined roles
      B. Basic roles
      C. Custom roles
      D. Service accounts

      Solution

      1. Step 1: Understand role categories

        Google Cloud has three main role types: basic, predefined, and custom.

      2. Step 2: Identify broad access roles

        Basic roles like Owner, Editor, and Viewer provide broad access across all services.

      3. Final Answer:

        Basic roles -> Option B

      4. Quick Check:

        Broad access = Basic roles [OK]
      Hint: Basic roles cover broad access across all services [OK]
      Common Mistakes:
      • Confusing predefined roles with basic roles
      • Thinking custom roles are broad by default
      • Mixing service accounts with roles
      2. Which of the following is the correct way to create a custom role in Google Cloud IAM?
      easy
      A. Use the gcloud CLI with 'gcloud iam roles create' and specify permissions
      B. Assign a predefined role to a user
      C. Use the Google Cloud Console to assign a basic role
      D. Create a service account with custom permissions

      Solution

      1. Step 1: Identify how to create custom roles

        Custom roles require specifying exact permissions and are created via CLI or console.

      2. Step 2: Match correct command

        The 'gcloud iam roles create' command is used to create custom roles with specific permissions.

      3. Final Answer:

        Use the gcloud CLI with 'gcloud iam roles create' and specify permissions -> Option A

      4. Quick Check:

        Create custom role = gcloud iam roles create [OK]
      Hint: Custom roles need explicit creation with permissions via CLI [OK]
      Common Mistakes:
      • Confusing assigning roles with creating roles
      • Using service accounts to create roles
      • Assigning basic roles instead of creating custom ones
      3. Given this snippet assigning roles to a user: 
      gcloud projects add-iam-policy-binding my-project \
  --member='user:alice@example.com' \
  --role='roles/storage.objectViewer'
      What type of role is 'roles/storage.objectViewer'?
      medium
      A. Basic role
      B. Custom role
      C. Service account role
      D. Predefined role

      Solution

      1. Step 1: Analyze the role name format

        The role name 'roles/storage.objectViewer' follows the predefined role naming pattern.

      2. Step 2: Understand role types

        Predefined roles are specific to services and have names like 'roles/serviceName.roleName'.

      3. Final Answer:

        Predefined role -> Option D

      4. Quick Check:

        roles/storage.objectViewer = Predefined role [OK]
      Hint: Predefined roles have service-specific names like roles/service.role [OK]
      Common Mistakes:
      • Thinking all roles starting with 'roles/' are basic
      • Confusing custom roles with predefined roles
      • Assuming service accounts have roles
      4. A user tries to create a custom role but gets an error. The command used is: 
      gcloud iam roles create myCustomRole --project=my-project --permissions=storage.buckets.list,compute.instances.create
      What is the likely cause of the error?
      medium
      A. The command is missing the role title and description
      B. Permissions must be comma-separated without spaces
      C. The project ID is incorrect
      D. Custom roles cannot include permissions from multiple services

      Solution

      1. Step 1: Review required parameters for custom role creation

        Creating a custom role requires a title and description along with permissions.

      2. Step 2: Check the command for missing parameters

        The command lacks '--title' and '--description' flags, causing the error.

      3. Final Answer:

        The command is missing the role title and description -> Option A

      4. Quick Check:

        Missing title/description causes create role error [OK]
      Hint: Always include title and description when creating custom roles [OK]
      Common Mistakes:
      • Assuming permissions from multiple services are invalid
      • Ignoring required flags like title and description
      • Mistaking project ID errors for permission errors
      5. You want to give a team member permission to manage only Compute Engine instances but no other services. Which role type should you assign and why?
      hard
      A. Custom role with all permissions, to cover all possible needs
      B. Basic role Editor, because it covers all services including Compute Engine
      C. Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only
      D. Basic role Viewer, because it allows managing instances

      Solution

      1. Step 1: Understand the requirement

        The team member needs permissions only for Compute Engine, not other services.

      2. Step 2: Evaluate role types

        Basic roles are broad and cover all services; custom roles require manual permission selection; predefined roles offer service-specific permissions.

      3. Step 3: Choose the best fit

        The predefined Compute Engine Admin role grants full Compute Engine permissions without extra access.

      4. Final Answer:

        Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only -> Option C

      5. Quick Check:

        Service-specific access = Predefined role [OK]
      Hint: Use predefined roles for service-specific permissions [OK]
      Common Mistakes:
      • Using broad basic roles instead of specific predefined roles
      • Assigning Viewer role expecting management permissions
      • Creating unnecessary custom roles without need