Question 2 - Google Associate Cloud Engineer Real Exam Questions [March 2026 Update]

Q: 2

You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google-recommended practices. Which IAM roles should you grant your colleagues?

Options

Discussion

Emma Feb 14, 2026 8:36 pm

Chloe I. Feb 22, 2026 5:26 am

B imo, A is too broad and C doesn't handle bucket-level permissions.

Liam X. Feb 25, 2026 3:40 pm

C , since Storage Object Admin is usually enough for handling all files in existing buckets. Seen similar picks in practice tests and the official exam guide talks about limiting scope. I might be missing something if bucket-level changes are needed, but seems right for just letting them manage files. Disagree?

Parker H. Feb 22, 2026 5:44 am

C , since Storage Object Admin lets them work with files. Saw a question like this in some exam reports.

Grace O. Feb 20, 2026 10:16 am

A is wrong, B. Storage Admin lets your coworkers manage both buckets and files, which is what you need here. Project Editor gives way too much access. Almost sure B's the safest pick if you want to follow Google's best practices.

Zoe D. Feb 24, 2026 1:43 am

Probably B since "Storage Admin" covers both bucket and object management, which is what the question actually asks for. Project Editor's way too broad, and C or D don't handle buckets. Sometimes people forget about the scope difference.

Ava G. Mar 3, 2026 2:43 pm

B , that's what the official guide suggests if you want full bucket and object management without giving away extra project permissions. C and D don't cover bucket-level stuff. Saw similar wording in a practice set. If you're prepping, focus on understanding the IAM predefined roles for Storage.

Ben B. Feb 23, 2026 9:33 am

C? Saw a similar question on a practice exam, went with Storage Object Admin.

Owen H. Feb 27, 2026 2:53 am

I don’t think Project Editor (A) is right here, since it gives way more permissions than needed, not just Storage. Storage Admin (B) is scoped to buckets and files, so that lines up with least privilege best practice. It’s a common trap to pick A for convenience.

Skyler H. Feb 18, 2026 4:59 am

B tbh, Project Editor (A) is way too broad since it gives access to pretty much everything in the project. Google recommends role-based access like Storage Admin for this exact use case. A is a trap.

Be respectful. No spam.

Correct Answer:

Explanation

The Storage Admin (roles/storage.admin) role provides full control over Cloud Storage resources. This includes all necessary permissions to manage both buckets (e.g., create, delete, list, set IAM policies) and the objects (files) within them. Using this predefined role adheres to the Google-recommended practice of applying the principle of least privilege. It grants the required permissions scoped specifically to the Cloud Storage service, unlike the overly broad Project Editor basic role. This role is the most suitable for colleagues who need comprehensive control over buckets and files without granting them permissions for other services in the project.

Why Incorrect

A. Project Editor: This is a basic role that grants broad permissions across most Google Cloud services, violating the principle of least privilege.

C. Storage Object Admin: This role grants permissions to manage objects (files) but lacks the necessary permissions to create, delete, or configure buckets.

D. Storage Object Creator: This role is highly restrictive, only allowing users to create objects. It does not permit managing objects or buckets.

References

1. Google Cloud Documentation

"Cloud Storage IAM roles": The table in this document explicitly states that the roles/storage.admin role provides "Full control of Cloud Storage resources

" which encompasses both buckets and objects. In contrast

roles/storage.objectAdmin is described as having "Full control of Cloud Storage objects

" which does not include bucket management.

Source: Google Cloud

Cloud Storage Documentation

"IAM roles for Cloud Storage".

2. Google Cloud Documentation

"Understanding roles": This guide explains the different types of roles. It recommends using predefined roles over basic roles (like Editor) to grant only the necessary permissions. "Whenever possible

we recommend that you grant predefined roles instead of basic roles. Predefined roles provide finer-grained access control and help you follow the principle of least privilege."

Source: Google Cloud

IAM Documentation

"Understanding roles"

Section: "Role types".

3. Google Cloud Documentation

"Using IAM permissions": This document reinforces the best practice of using the most limited predefined role that meets requirements. "Follow the principle of least privilege... When choosing a predefined role

pick one that contains the minimum set of permissions that your user needs."

Source: Google Cloud

IAM Documentation

"Granting

changing

and revoking access to resources"

Section: "Best practices".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE