An engineer needs to grant an external auditor read-only access to a subset of Cloud Storage buckets in a project. The auditor's identity is a Google account. Which IAM approach should the engineer use?
Trap 1: Add the auditor's email as a member with the Storage Admin role on…
Storage Admin is too permissive; the auditor would have full control over all buckets, including deletion.
Trap 2: Use a signed URL for each object the auditor needs to see.
Signed URLs are for temporary access to specific objects, not suitable for ongoing read-only access to a set of buckets.
Trap 3: Add the auditor's email as a member with the Storage Object Viewer…
While functionally correct, managing bucket-level roles for many buckets is cumbersome and less scalable than using project-level roles with conditions.
- A
Add the auditor's email as a member with the Storage Admin role on the project.
Why wrong: Storage Admin is too permissive; the auditor would have full control over all buckets, including deletion.
- B
Use a signed URL for each object the auditor needs to see.
Why wrong: Signed URLs are for temporary access to specific objects, not suitable for ongoing read-only access to a set of buckets.
- C
Add the auditor's email as a member with the Storage Object Viewer role on each individual bucket.
Why wrong: While functionally correct, managing bucket-level roles for many buckets is cumbersome and less scalable than using project-level roles with conditions.
- D
Add the auditor's email as a member with the Storage Object Viewer role on the project, and use IAM Conditions to restrict access to specific bucket resources.
This grants read-only access to the specified buckets only, using conditions for fine-grained control.