You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google- recommended practices. Which IAM roles should you grant your colleagues?
Correct Answer is (B):
Storage Admin (roles/storage.admin) Grants full control of buckets and objects.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*
The correct answer is B
This role allows users to create, manage, and delete buckets and files in Cloud Storage. It also allows users to set permissions on buckets and files.
The other options are not as good:
A gives users too much power, as it allows them to manage all resources in a project, including Cloud Storage buckets and files
C gives users too much power, as it allows them to manage all objects in a bucket, including the permissions on those objects
D does not give users enough power, as it does not allow them to manage buckets or set permissions on buckets and objects
Steps to grant Storage Admin IAM role:
1 Go to the Google Cloud Console
2 Click on the IAM & Admin menu
3 Click on the Roles tab
4 Click on the Storage Admin role
5 Click on the Add members button
6 Type the email addresses of your colleagues in the Members field
7 Click on the Add button
Answer B, "Storage Admin," is the correct answer because it grants permissions to manage Cloud Storage resources at the project level, including creating and deleting buckets, changing bucket settings, and assigning permissions to buckets and their contents. This role also includes the permissions of the "Storage Object Admin" and "Storage Object Creator" roles, which allow managing objects and uploading new ones.
Answer A, "Project Editor," is a higher-level role that includes permissions to manage not only Cloud Storage but also other GCP services in the project. Granting this role may not be appropriate if the colleagues only need to manage Cloud Storage resources.
Answers C and D may not be sufficient if the colleagues need to create or delete buckets or change their settings.
Storage Admin (roles/storage.admin)
Grants full control of buckets and objects.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
While
Storage Object Admin (roles/storage.objectAdmin)
Grants full control over objects, including listing, creating, viewing, and deleting objects.
According to the question, your colleagues need to manage "buckets" in Cloud Storage(storage.objects.* permission), so (B) is correct.
(C) doesn't have control over the buckets.
Cloud document:
https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles
--->Storage Object Admin (Cannot find "storage.buckets.*" Permission)
---->Storage Admin ( Has "storage.buckets.*" Permission)
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ESP_SAP
Highly Voted 3 years, 8 months agoiambatmanadarkknight
2 years, 6 months agoTenshiD
2 years, 5 months agoRaz0r
2 years, 3 months agodang1986
2 years, 2 months agoAgents89
Highly Voted 4 years agoYourCloudGuru
Most Recent 7 months agoCaptain1212
8 months ago[Removed]
8 months agoNeha_Pallavi
9 months, 1 week agoPartha117
1 year, 1 month agoBuruguduystunstugudunstuy
1 year, 2 months agokkozlow2
1 year, 4 months agoleogor
1 year, 6 months ago[Removed]
1 year, 6 months agoleogor
1 year, 7 months agosandipk91
1 year, 8 months agoRanjithK
1 year, 10 months agoAzureDP900
1 year, 10 months agoharoldbenites
1 year, 11 months agoharoldbenites
1 year, 11 months agogielda211
2 years ago