A security engineer is reviewing an IAM policy for a Cloud Storage bucket. The engineer wants to ensure that the service account 'sa@project.iam.gserviceaccount.com' can only read objects. What is the current effective permission?
The policy explicitly grants objectViewer role to the service account.
Why this answer
Option C is correct because the service account is assigned the objectViewer role, which allows read-only access. Option A is incorrect because the service account does not have objectAdmin. Option B is incorrect because there is no explicit deny; the viewer role is assigned.
Option D is incorrect because objectCreator is not granted.