Question 19 - Google Associate Cloud Engineer Real Exam Questions [March 2026 Update]

Q: 19

Your organization has strict requirements to control access to Google Cloud projects. You need to enable your Site Reliability Engineers (SREs) to approve requests from the Google Cloud support team when an SRE opens a support case. You want to follow Google-recommended practices. What should you do?

Options

Correct Answer:

Explanation

To allow SREs to approve access requests from Google support, they must be granted the accessapproval.requests.approve permission. This permission is included in the predefined IAM role roles/accessapproval.approver. Google's recommended best practice for managing permissions is to assign roles to groups rather than individual users. This approach simplifies administration, as membership changes are managed within the group without altering IAM policies. Therefore, the correct procedure is to add the SREs to a Google Group and then grant the roles/accessapproval.approver role to that group.

Why Incorrect

A. The roles/iam.roleAdmin role is for managing custom IAM roles, not for approving support access requests. It also violates the best practice of using groups.

B. While this assigns the correct role, it grants it to individual users directly, which contradicts the Google-recommended practice of using groups for scalable and manageable permissions.

C. This option correctly uses a group, but it assigns the roles/iam.roleAdmin role, which does not grant the necessary permissions to approve Access Approval requests.

References

1. Google Cloud Documentation

"Access Approval IAM roles": This document explicitly lists the roles/accessapproval.approver role and its associated permission

accessapproval.requests.approve

which is required to "Approve a request for access."

Source: Google Cloud > Documentation > Access Approval > Control access with IAM > Access Approval IAM roles.

2. Google Cloud Documentation

"Policy recommendations": This guide on best practices for IAM states

"Use Google Groups to manage principals... Using groups is a convenient way to manage access for a collection of users. You can grant and change access controls for a whole group at once

instead of granting or changing access controls for individual users one by one."

Source: Google Cloud > Documentation > Identity and Access Management > Best practices for using IAM > Policy recommendations > Use Google Groups to manage principals.

3. Google Cloud Documentation

"Overview of Access Approval": This document describes the purpose of the service: "Access Approval ensures that whenever a Google employee wants to access your user content for support and other services

they must get your explicit approval." This confirms that Access Approval is the correct service for the described scenario.

Source: Google Cloud > Documentation > Access Approval > Overview.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE