Answer-first summary for fast verification
Answer: Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
The question requires enforcing least-privilege access at all times and ensuring the DevOps team can only access resources during deployment incidents. Option B is optimal because creating a custom IAM role with limited list/view permissions directly grants the DevOps team only the necessary permissions, adhering to least-privilege. Additionally, IAM conditions can be applied to make these permissions 'Just in time' (e.g., time-bound or based on incident triggers), meeting the temporary access requirement without the complexity of service accounts. Option D uses a service account, which is less suitable for human users as it complicates traceability and auditing, and the Service Account User role alone may not suffice without the Service Account Token Creator role for impersonation. Options A and C violate least-privilege by granting overly broad roles (Project Viewer and Project Owner). The community discussion shows support for both B and D, but B aligns better with Google best practices for human access control and traceability.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are developing an incident response plan and need to define an access strategy for your DevOps team to investigate a deployment issue in Google Cloud. The strategy must adhere to two requirements:
How should you grant access while following Google-recommended best practices?
A
Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
B
Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
C
Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
D
Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.