Advise development and operation teams — GCP PCA Practice Question 35

How to approach this question

Apply the principle of least privilege: use predefined roles (not basic roles) and apply them at the lowest possible level in the resource hierarchy.

Full Answer

C.Grant the `roles/logging.viewer` role on the specific Cloud Run service resource.✓ Correct

Grant the `roles/logging.viewer` role on the specific Cloud Run service resource.

Google Cloud IAM follows the principle of least privilege. Basic roles (Owner/Editor/Viewer) should be avoided in production. Predefined roles (like `roles/logging.viewer`) provide granular permissions. Furthermore, IAM policies should be applied at the lowest possible level in the resource hierarchy (in this case, the specific Cloud Run service, not the entire Project) to restrict access strictly to what is needed.

Common mistakes

Applying roles at the Project level out of convenience, which grants overly broad access.

A new developer joins your team and needs to view the logs for a specific Cloud Run service to troubleshoot an issue. They should not be able to modify the service or view logs for other services. Which IAM role should you grant?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Professional Cloud Architect Practice Exam 1

More questions from this exam