Exam Associate Cloud Engineer topic 1 question 235 discussion

Answer is A. roles/viewer gives read only access on Project, so it does not create/update any resources. roles/compute.admin gives full access to Compute Engine resources.

Answer is C. 1. The DevOps group needs full control of Compute Engine resources in your development project. --> So, we grants permissions to create and update Compute Engine instances and their related resources, such as disks, images, and snapshots. A// Create a custom role at the folder level and grant all compute.instanceAdmin.* permissions to the role. 2. They should not have permission to create or update any other resources in the project. --> We do not grant permissions to create or update any other resources in the project, such as Cloud Storage buckets, Cloud Functions, or BigQuery datasets. A// Grant the custom role to the DevOps group.

The correct answer is A. Take it or leave it

"roles/compute.admin" - Full control of all Compute Engine resources. "roles/compute.instanceAdmin" - If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role. Correct answer is definitely A

Google recommends using custom roles

A. Grant roles/viewer and roles/compute.admin: • The roles/viewer role provides read-only access to most Google Cloud services • The roles/compute.admin role gives full control over Compute Engine resources, which is appropriate for the DevOps group's needs.

This one is very tricky, by my opinion correct answer is B. This wildcard at the end is important "grant all compute.instanceAdmin.*" that means that you need to assign two policies that are already there: - roles/compute.instanceAdmin.v1 - roles/compute.instanceAdmin (beta) So if the user has compute.instanceAdmin.v1 he will have full compute access without adding the additional one "roles/iam.serviceAccountUser". Also another argument against answer A is the Google recommendations to use the basic roles only when there is no predefined roles, and this is valid for all kind of environments not just production.

Its B, 100%

it's A, No doubt. - "they should not have permission to create or update any other resources in the project" that sentence doesn't state that they don't want give acess to other resources, just not create or update. basic roles/viewer gives permissions for read-only actions: https://cloud.google.com/iam/docs/understanding-roles - "Full control of all Compute Engine resources" Compute Admin (roles/compute.admin) gives full control of all Compute Engine resources. https://cloud.google.com/iam/docs/understanding-roles#compute.admin compute.instanceAdmin.* does not.

C is definitely wrong. You cant create custom roles at folder level, you can create it at project or organization level

I think its B. since they want full access to compute engine, so compute.instanceAdmin role but to restrict access to other resources, so no folder level access(C) is needed. According to the web search results, one possible role that can give full access to Compute Engine but no access to other resources is the Compute Instance Admin role. This role allows a user to create and manage instances, disks, images, and snapshots, but not other resources like networks, firewalls, or load balancers.

Explanation: The compute.instanceAdmin.* permissions provide full control over Compute Engine resources, which aligns with the requirement for the DevOps group to have complete control over Compute Engine resources. Creating an IAM policy and granting these specific permissions ensures the permissions are scoped to the project level, meeting the requirement to grant permissions only within the project and not beyond. This option grants the necessary permissions for Compute Engine management at the project level while limiting the scope to the specified project.

For me its B, until anyone says the contrary and why. It give ONLY the permissions required. No more or less.

Answer A Compute Admin (roles/compute.admin) Full control of all Compute Engine resources.

A is th correct answer as it provied all the required access

Compute Admin (roles/compute.admin) = Full control of all Compute Engine resources. The only permission to have full control of Computer Engine Resources (as required in question) ref: https://cloud.google.com/iam/docs/understanding-roles#compute.admin Compute.instanceAdmin does NOT allow FULL control of Compute Engine, only Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

C meets the requirement of permission with least privilege