The IAM & Admin page in the Google Cloud Console provides a comprehensive view of the Identity and Access Management (IAM) policy for a specific resource, such as a project. This page lists all principals (members like users, groups, and service accounts) and the specific roles granted to them for that project. This directly allows an administrator to verify who has what level of access, fulfilling the question's requirement to check assigned users and roles. The gcloud projects get-iam-policy [PROJECTID] command provides the same information via the command line.

A. gcloud iam roles list only lists the available IAM roles in a project or organization; it does not show which members are assigned to those roles.

B. gcloud iam service-accounts list only lists the service accounts within a project. It does not show other member types (like users or groups) or their role assignments.

D. The "Roles" section in the GCP Console lists available roles and their associated permissions, similar to option A. It does not display the bindings of these roles to members.

---

1. Google Cloud Documentation - View access to a project

folder

or organization: "You can get a list of principals who have access to a project... using the Google Cloud console... In the Google Cloud console

go to the IAM page... The IAM page displays all of the principals who have IAM roles on your project

and what roles they are granted."

Source: Google Cloud Documentation

"IAM > Documentation > How-to guides > Granting

changing

and revoking access > View access to a project

folder

or organization".

2. Google Cloud SDK Documentation - gcloud projects get-iam-policy: This command is the CLI equivalent for viewing the full policy. "This command prints the IAM policy for a project... The output includes an etag field identifying the version of the policy." The policy itself contains the bindings between members and roles.

Source: Google Cloud SDK Documentation

gcloud projects get-iam-policy.

3. Google Cloud SDK Documentation - gcloud iam roles list: "List the IAM roles for a project or organization." This command's description confirms it only lists the roles themselves

not their assignments.

Source: Google Cloud SDK Documentation

gcloud iam roles list.

The gcloud iam roles copy command is specifically designed to duplicate a custom role from a source project or organization to a destination project or organization. Using this command-line tool is the most efficient method ("fewest possible steps") to replicate one or more roles, as it can be executed in a single line per role and easily scripted for bulk operations. This approach is significantly faster and less prone to human error than manually recreating roles through the Google Cloud Console.

B. Copying the role to the destination organization makes it available to all projects. This is a broader scope than requested and may not be desirable from a security or management perspective.

C. The ‘create role from role’ functionality in the console is a multi-step, manual process for each role, which is less efficient than a single gcloud command, especially if multiple roles are involved.

D. Manually creating a role and selecting permissions is the most inefficient and error-prone method, directly contradicting the requirement for the "fewest possible steps."

---

1. Google Cloud SDK Documentation

gcloud iam roles copy:

The official documentation for the command explicitly states its purpose: "is used to copy an IAM role." The examples demonstrate copying a role from a source project to a destination project using the --source-project and --dest-project flags. This directly supports option A as the purpose-built tool for the task.

Source: Google Cloud. (n.d.). gcloud iam roles copy. Google Cloud SDK documentation. Retrieved from https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

2. Google Cloud IAM Documentation

"Creating and managing custom roles":

Under the section "Copying an existing role

" the documentation provides the exact gcloud iam roles copy command as the method for this task. It highlights this as a primary way to replicate roles

reinforcing its status as the correct and most direct procedure.

Source: Google Cloud. (n.d.). Create and manage custom roles. IAM documentation. Retrieved from https://cloud.google.com/iam/docs/creating-custom-roles#copying-an-existing-role

3. Google Cloud IAM Documentation

"Custom roles overview":

This document explains the scope of custom roles

which can be created at either the project or organization level. This context clarifies why specifying the destination project (Option A) is more precise and appropriate for the user's request than specifying the organization (Option B).

Source: Google Cloud. (n.d.). Overview of IAM custom roles. IAM documentation. Retrieved from https://cloud.google.com/iam/docs/understanding-custom-roles#customroleavailability

The location of a Google App Engine application is a permanent setting chosen during its initial creation within a Google Cloud project. This location cannot be changed after the application is created. Furthermore, a single Google Cloud project can contain only one App Engine application. Therefore, to deploy the application in a new region (asia-northeast1), you must create an entirely new Google Cloud project. Within this new project, you can then create a new App Engine application and specify asia-northeast1 as its serving location during the setup process.

A. The project's default region setting primarily affects services like Compute Engine and does not alter the immutable location of an existing App Engine application.

B. The region of an App Engine application is an immutable property. It is set once at creation and cannot be modified later.

C. A Google Cloud project is limited to a single App Engine application. It is not possible to create a second one within the same project.

1. Google Cloud Documentation

App Engine Locations: "When you create an app

you must choose a location... The location you choose for your app is permanent and cannot be changed." This document also states

"Each Google Cloud project can contain only one App Engine app."

Source: Google Cloud

App Engine Locations

"Choosing a location" and "Location and your project" sections. https://cloud.google.com/appengine/docs/locations

2. Google Cloud SDK Documentation

gcloud app create: The official command-line tool documentation for creating an App Engine application explicitly states for the --region flag: "The region to create the App Engine application in. You can't change the region after you set it."

Source: Google Cloud SDK

gcloud app create

Command description. https://cloud.google.com/sdk/gcloud/reference/app/create

The most appropriate and secure method to grant read-only access to all resources within a Google Cloud project is by using the predefined Identity and Access Management (IAM) Viewer role (roles/viewer). This basic role provides broad, read-only permissions across all project services and resources, which aligns perfectly with the requirements for an auditor who needs to inspect but not alter the project's state. Using a predefined role is a best practice as it is managed by Google and ensures that the permissions are correctly and consistently applied for the intended purpose without the overhead of creating and maintaining a custom role.

A. Creating a custom role is unnecessary when a predefined role perfectly fits the requirement. It adds management overhead and potential for misconfiguration.

B. A custom role with "view-only service permissions" is ambiguous and likely insufficient, as the requirement is for all project items, not just specific services.

D. There is no single, built-in "service Viewer" role. Predefined viewer roles are specific to services (e.g., Compute Viewer), which would not grant the required project-wide access.

1. Google Cloud Documentation

IAM

Basic roles: "The Viewer role (roles/viewer) provides permissions for read-only actions that don't modify state

such as viewing (but not modifying) existing resources or data." This directly supports the use of the Viewer role for an auditor. (See section: "Basic roles"

subsection: "Viewer").

2. Google Cloud Documentation

IAM

Understanding roles: "Basic roles include the Owner

Editor

and Viewer roles. You can use these roles to grant principals broad access to all Google Cloud resources... When possible

we recommend that you grant predefined roles instead of basic roles." However

for project-wide read access

the basic Viewer role is the intended and most direct solution. (See section: "Role types").

3. Google Cloud Documentation

IAM

Creating and managing custom roles: "IAM also offers custom roles. These roles let you grant a fine-grained set of permissions that you define... Create a custom role only if the predefined roles don't meet your needs." This confirms that predefined roles should be used first

making option C superior to A. (See section: "Before you begin").

The most effective method for automating command-line operations across multiple Google Cloud projects is by using gcloud configurations. Each configuration stores a set of properties, including the project ID and account. By creating one configuration for the 'development' project and another for 'production', a script can programmatically switch between them using gcloud config configurations activate. For each active configuration, the gcloud compute instances list command is used to retrieve the instance data for that specific project. This entire workflow is scriptable, allowing it to be automated for daily execution via a cron job or Cloud Scheduler.

B. gsutil is the command-line tool for Cloud Storage, not Compute Engine. The command gsutil compute instances list is invalid and does not exist.

C. This option describes a manual daily action ("Go to Cloud Shell"), which fails to meet the core requirement of creating an "automated process".

D. This option describes a manual daily action ("Go to GCP Console"), which directly contradicts the requirement for an "automated process".

1. gcloud config configurations: The official documentation explains how to create and manage named sets of properties. "A configuration is a named set of gcloud CLI properties. These properties are key-value pairs that govern the behavior of the gcloud CLI."

Source: Google Cloud SDK Documentation

gcloud config configurations. (https://cloud.google.com/sdk/gcloud/reference/config/configurations)

2. gcloud compute instances list: This command is the correct tool for listing Compute Engine instances. The documentation states its purpose is to "List Google Compute Engine instances." It can be targeted at a specific project

which is controlled by the active gcloud configuration.

Source: Google Cloud SDK Documentation

gcloud compute instances list. (https://cloud.google.com/sdk/gcloud/reference/compute/instances/list)

3. gsutil Tool: The documentation clarifies that gsutil is for interacting with Cloud Storage. "gsutil is a Python application that lets you access Cloud Storage from the command line." It does not manage Compute Engine resources.

Source: Google Cloud Documentation

Cloud Storage

"gsutil tool". (https://cloud.google.com/storage/docs/gsutil)

To make a service on a Compute Engine instance accessible from outside the VPC network, you must create an ingress firewall rule. The standard and most effective method is to apply a network tag to the VM instance. This tag acts as an identifier. You then create a VPC firewall rule that allows ingress traffic, specifies the protocol (UDP) and port (636), and targets all instances with that specific network tag. This approach correctly configures the network security to permit the required client connections to the LDAP server.

A. Adding a network tag by itself does not create any network permissions. A tag is merely a label that must be referenced by a firewall rule to have any effect.

B. Routes are used to define paths for traffic to reach destinations, not to permit or deny connections. Firewall rules control access based on protocol and port.

D. An egress rule controls outbound traffic from the VM instance. To allow clients to connect to the server, an ingress (inbound) rule is required.

1. Google Cloud Documentation - VPC firewall rules overview: Under the "Components of a firewall rule" section

it states that a rule's target can be specified using "Target tags

" which applies the rule to instances with a matching network tag. The "Direction of traffic" component must be set to ingress for incoming connections.

Source: Google Cloud

"VPC firewall rules overview"

cloud.google.com/vpc/docs/firewalls#components.

2. Google Cloud Documentation - Using VPC firewall rules: This page provides examples of creating firewall rules. The common pattern shown is to define a rule with a direction (INGRESS)

a target (using targetTags)

a source filter

and a protocol/port specification. This directly aligns with the procedure described in the correct answer.

Source: Google Cloud

"Using VPC firewall rules"

cloud.google.com/vpc/docs/using-firewalls#creatingfirewallrules.

3. Google Cloud Documentation - Network tags overview: "Tags are useful for applying firewall rules... You make a firewall rule applicable to specific instances by using target tags." This reference clarifies that the primary purpose of tags in this context is to be used as targets for firewall rules

invalidating the option that suggests using a tag alone is sufficient.

Source: Google Cloud

"Configure network tags"

cloud.google.com/vpc/docs/add-remove-network-tags.

This scenario requires granting a principal (the service account from proj-sa) permissions to act on resources (VM disks) in a different project (proj-vm). The standard Google Cloud method for cross-project authorization is to grant the principal an Identity and Access Management (IAM) role on the project containing the resources. The Compute Storage Admin (roles/compute.storageAdmin) role contains the necessary permissions, such as compute.disks.createSnapshot, to manage storage resources like persistent disks and snapshots. By granting this role to the service account on the proj-vm project, you authorize it to perform the required actions.

A. Storing private keys in custom metadata is a significant security risk and does not grant the necessary cross-project permissions (authorization) for the service account to act on resources in another project.

B. Service account private keys are used for authenticating to Google Cloud APIs, not for user SSH access. SSH keys are a completely different authentication mechanism for interactive logins.

D. API scopes are a legacy authorization method that defines the maximum permissions for a service account attached to a VM. The primary and more granular method is IAM. This option fails to address the core requirement of granting the service account permissions in the target project (proj-vm).

1. Google Cloud Documentation

"Granting roles to service accounts": In the section "Granting a role to a service account for a project and resources within the project

" the documentation states

"To allow a service account to access resources in a different project

you can grant a role to the service account on the other project." This directly supports the cross-project IAM binding described in the correct answer.

2. Google Cloud Documentation

"IAM basic and predefined roles reference"

Compute Engine roles: The documentation for the Compute Storage Admin role (roles/compute.storageAdmin) confirms that it provides "Full control of Compute Engine storage resources

" which includes permissions for creating snapshots (compute.disks.createSnapshot).

3. Google Cloud Documentation

"Service accounts overview": This document clarifies that a service account is a principal

or an identity

which can be granted IAM roles to access resources. This reinforces the concept of treating the service account from proj-sa as an identity that needs permissions in proj-vm.

4. Google Cloud Documentation

"Access control for Compute Engine resources": This page contrasts IAM and API Scopes

stating

"In general

we recommend using IAM to manage access to Compute Engine resources instead of access scopes." This explains why relying on API scopes (Option D) is not the recommended or correct primary approach.

The most operationally efficient and rapid method to meet the requirements is to use a Managed Instance Group (MIG) based on an instance template. An instance template defines the configuration of the virtual machines, ensuring consistency. The MIG uses this template to manage a group of identical VMs. By configuring the MIG's autoscaler with a policy based on average CPU utilization, Google Cloud's managed service will automatically add or remove VMs to maintain the desired performance level. This native solution directly addresses the need to use VMs, scale on CPU, and do so efficiently without custom tooling.

A. Google Kubernetes Engine is a container orchestration service. It scales container pods, not virtual machines directly as required by the policy.

C. This option describes schedule-based autoscaling, which scales based on time, not on the required real-time CPU usage metric.

D. Building and maintaining a custom scaling solution with third-party tools is significantly less operationally efficient and more complex than using the native, fully managed autoscaler.

1. Google Cloud Documentation

"Autoscaling groups of instances": "Autoscaling helps your applications gracefully handle increases in traffic and reduces costs when the need for resources is lower. You define the autoscaling policy

and the autoscaler performs automatic scaling based on the measured load." The document further specifies CPU utilization as a primary scaling metric. (Source: Google Cloud

Compute Engine Documentation

"Autoscaling groups of instances").

2. Google Cloud Documentation

"Scaling based on CPU utilization": "You can configure the autoscaler to scale a managed instance group (MIG) based on the average CPU utilization of the instances in the group... The autoscaler adds or removes virtual machine (VM) instances from the MIG to maintain the target CPU level." This directly supports option B. (Source: Google Cloud

Compute Engine Documentation

"Autoscaling policies"

Section: "Scaling based on CPU utilization").

3. Google Cloud Documentation

"Instance templates": "An instance template is a resource that you can use to create VM instances and managed instance groups (MIGs). Instance templates define the machine type

boot disk image...

and other instance properties." This confirms that an instance template is the correct prerequisite for a MIG. (Source: Google Cloud

Compute Engine Documentation

"Instance templates").

4. Google Cloud Documentation

"Google Kubernetes Engine (GKE) overview": "GKE is a managed

production-ready environment for deploying containerized applications." This highlights that GKE's primary abstraction is the container

not the underlying VM

making option A incorrect for the stated requirement. (Source: Google Cloud

GKE Documentation

"Concepts"

Section: "Overview").

To allow SREs to approve access requests from Google support, they must be granted the accessapproval.requests.approve permission. This permission is included in the predefined IAM role roles/accessapproval.approver. Google's recommended best practice for managing permissions is to assign roles to groups rather than individual users. This approach simplifies administration, as membership changes are managed within the group without altering IAM policies. Therefore, the correct procedure is to add the SREs to a Google Group and then grant the roles/accessapproval.approver role to that group.

A. The roles/iam.roleAdmin role is for managing custom IAM roles, not for approving support access requests. It also violates the best practice of using groups.

B. While this assigns the correct role, it grants it to individual users directly, which contradicts the Google-recommended practice of using groups for scalable and manageable permissions.

C. This option correctly uses a group, but it assigns the roles/iam.roleAdmin role, which does not grant the necessary permissions to approve Access Approval requests.

1. Google Cloud Documentation

"Access Approval IAM roles": This document explicitly lists the roles/accessapproval.approver role and its associated permission

accessapproval.requests.approve

which is required to "Approve a request for access."

Source: Google Cloud > Documentation > Access Approval > Control access with IAM > Access Approval IAM roles.

2. Google Cloud Documentation

"Policy recommendations": This guide on best practices for IAM states

"Use Google Groups to manage principals... Using groups is a convenient way to manage access for a collection of users. You can grant and change access controls for a whole group at once

instead of granting or changing access controls for individual users one by one."

Source: Google Cloud > Documentation > Identity and Access Management > Best practices for using IAM > Policy recommendations > Use Google Groups to manage principals.

3. Google Cloud Documentation

"Overview of Access Approval": This document describes the purpose of the service: "Access Approval ensures that whenever a Google employee wants to access your user content for support and other services

they must get your explicit approval." This confirms that Access Approval is the correct service for the described scenario.

Source: Google Cloud > Documentation > Access Approval > Overview.

Google App Engine retains previously deployed versions of an application. The standard and immediate method for rolling back a faulty deployment is to use the built-in traffic splitting feature. By navigating to the 'Versions' page for the specific App Engine service, you can re-route 100% of the user traffic from the new, buggy version to a previously known stable version. This action is instantaneous and effectively reverts the application to its prior state without requiring a new deployment, thus minimizing downtime and impact on users.

A. gcloud app restore is not a valid gcloud command for App Engine. The correct command-line tool for managing traffic is gcloud app services set-traffic.

B. There is no single "Revert" button at the application level in the Google Cloud Console. Reverting is a function of traffic management between different versions.

D. This approach is incorrect and inefficient. App Engine automatically keeps prior versions, so redeploying is unnecessary. Furthermore, traffic is split between versions of a service, not between separate applications.

1. Google Cloud Documentation

"Splitting Traffic": "If you need to roll back a version

you can easily do so by migrating traffic to one or more other versions." This page details the process of using the Google Cloud Console to select a version and allocate 100% of traffic to it

which is the procedure described in the correct answer. (See section: "Migrating traffic to a single version").

2. Google Cloud Documentation

"Managing Versions": "When you deploy changes to your app

a new version is created and traffic is routed to it. You can

however

choose to not route traffic to the new version automatically... If you discover a bug in a new version

you can quickly roll back to a previous version by routing traffic to it." This confirms that previous versions are retained and that traffic routing is the intended rollback mechanism.

3. Google Cloud SDK Documentation

gcloud app services set-traffic: This command-line reference demonstrates the programmatic way to manage traffic splits. The documentation states its purpose is to "[s]et the traffic splitting configuration for a service." This reinforces that traffic management is the core concept for version control

and it implicitly shows that a command like gcloud app restore does not exist for this purpose.