Google Cloud Associate Cloud Engineer — Question 212

The DevOps group in your organization needs full control of Compute Engine resources in your development project. However, they should not have permission to create or update any other resources in the project. You want to follow Google’s recommendations for setting permissions for the DevOps group. What should you do?

Answer options

• A. Grant the basic role roles/viewer and the predefined role roles/compute.admin to the DevOps group.
• B. Create an IAM policy and grant all compute.instanceAdmin.* permissions to the policy. Attach the policy to the DevOps group.
• C. Create a custom role at the folder level and grant all compute.instanceAdmin.* permissions to the role. Grant the custom role to the DevOps group.
• D. Grant the basic role roles/editor to the DevOps group.

Correct answer: A

Explanation

The correct answer is A, as it grants the DevOps group the necessary permissions to manage Compute Engine resources while restricting their ability to alter other resources in the project. Option B does not align with the recommendation since it focuses solely on instance permissions without the viewer role. Option C introduces unnecessary complexity with a custom role when predefined roles suffice. Option D would provide excessive permissions by allowing edits to other resources.