Answer-first summary for fast verification
Answer: Create a custom role at the folder level with all compute.instanceAdmin.* permissions and assign it to the DevOps group.
The most secure and appropriate method to grant the DevOps team administrative permissions for Compute Engine only is by creating a custom role at the folder level with all compute.instanceAdmin.* permissions and assigning it to the DevOps group. This approach adheres to the principle of least privilege by ensuring the DevOps team has access only to Compute Engine resources. Applying the role at the folder level allows for scoping permissions to a specific part of your Google Cloud organization. The other options either grant unnecessary permissions or are less organized and manageable compared to creating a custom role.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your team is using a Google Cloud Project for development, and the company's DevOps team manages all Compute Engine instances. How can you grant the DevOps team full administrative permissions for Compute Engine in your project without giving them access to other resources?
A
Assign the DevOps team the predefined roles/compute.admin role along with the roles/viewer basic role.
B
Create an IAM policy that grants all compute.instanceAdmin.* permissions and apply it to the DevOps group.
C
Create a custom role at the folder level with all compute.instanceAdmin.* permissions and assign it to the DevOps group.
D
Grant the DevOps group the roles/editor basic role.
No comments yet.