A security auditor needs read-only access to Compute Engine instance metadata but should not be able to start or stop instances. Which predefined IAM role should be assigned?
Provides read-only access to Compute Engine resources.
Why this answer
The roles/compute.viewer role grants read-only access to Compute Engine resources, including instance metadata, without allowing write operations such as starting or stopping instances. This matches the requirement for read-only metadata access while preventing instance lifecycle changes.
Exam trap
The trap here is that candidates may confuse 'viewer' with broader roles like instanceAdmin.v1, assuming read-only access is sufficient, but fail to recognize that instanceAdmin.v1 includes write permissions for starting/stopping instances.
How to eliminate wrong answers
Option A is wrong because roles/compute.instanceAdmin.v1 includes permissions to start, stop, and modify instances, which exceeds the required read-only access. Option B is wrong because roles/compute.admin provides full administrative control over all Compute Engine resources, including the ability to start and stop instances. Option C is wrong because roles/compute.networkAdmin focuses on network resources (e.g., firewalls, routes) and does not grant access to instance metadata.