Question 14 - Google Associate Cloud Engineer Real Exam Questions [Jan 2026 Update]

Q: 14

You want to add a new auditor to a Google Cloud Platform project. The auditor should be allowed to read, but not modify, all project items. How should you configure the auditor's permissions?

Options

Correct Answer:

Explanation

The most appropriate and secure method to grant read-only access to all resources within a Google Cloud project is by using the predefined Identity and Access Management (IAM) Viewer role (roles/viewer). This basic role provides broad, read-only permissions across all project services and resources, which aligns perfectly with the requirements for an auditor who needs to inspect but not alter the project's state. Using a predefined role is a best practice as it is managed by Google and ensures that the permissions are correctly and consistently applied for the intended purpose without the overhead of creating and maintaining a custom role.

Why Incorrect

A. Creating a custom role is unnecessary when a predefined role perfectly fits the requirement. It adds management overhead and potential for misconfiguration.

B. A custom role with "view-only service permissions" is ambiguous and likely insufficient, as the requirement is for all project items, not just specific services.

D. There is no single, built-in "service Viewer" role. Predefined viewer roles are specific to services (e.g., Compute Viewer), which would not grant the required project-wide access.

References

1. Google Cloud Documentation

IAM

Basic roles: "The Viewer role (roles/viewer) provides permissions for read-only actions that don't modify state

such as viewing (but not modifying) existing resources or data." This directly supports the use of the Viewer role for an auditor. (See section: "Basic roles"

subsection: "Viewer").

2. Google Cloud Documentation

IAM

Understanding roles: "Basic roles include the Owner

Editor

and Viewer roles. You can use these roles to grant principals broad access to all Google Cloud resources... When possible

we recommend that you grant predefined roles instead of basic roles." However

for project-wide read access

the basic Viewer role is the intended and most direct solution. (See section: "Role types").

3. Google Cloud Documentation

IAM

Creating and managing custom roles: "IAM also offers custom roles. These roles let you grant a fine-grained set of permissions that you define... Create a custom role only if the predefined roles don't meet your needs." This confirms that predefined roles should be used first

making option C superior to A. (See section: "Before you begin").

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE