Refer to the exhibit. A user (ops@example.com) is unable to create a new VPC network in the project. What should the administrator verify first?
The current role is read-only; a more permissive role is needed.
Why this answer
To create a VPC network in Google Cloud, the user needs the compute.networks.create permission. The roles/compute.networkAdmin IAM role includes this permission, along with others needed to manage VPC networks. Option D correctly identifies that the user must have appropriate IAM roles, specifically roles/compute.networkAdmin or a custom role with the necessary compute.networks.create permission.
Exam trap
Google Cloud often tests the principle of least privilege and the specific IAM roles required for VPC operations, trapping candidates who assume that a broad role like compute.admin or owner is the first thing to verify, rather than the more specific networkAdmin role.
How to eliminate wrong answers
Option A is wrong because roles/compute.admin is a highly privileged role that includes all compute permissions, but it is not the minimum required role; the question asks what the administrator should verify first, and checking for a more specific role like roles/compute.networkAdmin is more appropriate. Option B is wrong because the project owner role (roles/owner) includes all permissions, but it is overly broad and not the first thing to verify; the administrator should check for the specific network admin role first. Option C is wrong because roles/storage.admin grants permissions for Cloud Storage, not for VPC network creation, which requires compute.networks.* permissions.