An external member of your team needs list access to compute images and disks in one of your projects. You want to follow Google-recommended practices when you grant the required permissions to this user. What should you do?
A.
Create a custom role, and add all the required compute.disks.list and compute.images.list permissions as includedPermissions. Grant the custom role to the user at the project level.
B.
Create a custom role based on the Compute Image User role. Add the compute.disks.list to the includedPermissions field. Grant the custom role to the user at the project level.
C.
Create a custom role based on the Compute Storage Admin role. Exclude unnecessary permissions from the custom role. Grant the custom role to the user at the project level.
D.
Grant the Compute Storage Admin role at the project level.
I have successfully created a custom role with compute.disks.list and compute.image.list permissions. I have also tried creating it based on the Compute Storage Admin role. However, you still need to select compute.disks.list and compute.image.list individually; all permissions are unchecked by default. So A fits fine.
https://cloud.google.com/iam/docs/custom-roles-permissions-support - Both compute.disks.list and compute.images.list are available as permissions for custom roles. Makes more sense to make a new custom role than going off an admin one then adjusting it.
Option B allows you to create a custom role that is based on the existing Compute Image User role, which already includes the necessary permissions for accessing compute images. Then, you add the compute.disks.list permission to the custom role's includedPermissions field to grant the user list access to compute disks as well. This ensures that the user has precisely the permissions needed for their specific tasks and nothing more, following the principle of least privilege.
Answer is B: Compute image user role provide permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Adding the compute.disks.list then meet all the question requirements
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rahulrauki
1 year, 2 months agojoao_01
1 year, 2 months agoCaptain1212
1 year, 2 months agodemoro86
1 year, 3 months ago3arle
1 year, 4 months agojuliorevk
1 year, 4 months agoshreykul
1 year, 4 months agoshreykul
1 year, 4 months agofatanu88
1 year, 4 months agoFJ82
1 year, 4 months agotechsteph
1 year, 4 months agotechsteph
1 year, 4 months ago