A DevOps team wants to grant a contractor temporary access to a specific Cloud Storage bucket for 30 days. The contractor has a Google account (example@gmail.com). The bucket contains sensitive data, and the access should be as restrictive as possible. What is the recommended way to grant this access?
Bucket-level IAM is granular and can be removed after 30 days.
Why this answer
Option C is correct because bucket-level IAM policies allow you to grant granular, time-bound access to a specific bucket without affecting other resources in the project. By adding the contractor's email (example@gmail.com) to the bucket-level IAM policy with the 'Storage Object Viewer' role, you restrict access to only that bucket and only to read objects, which is the most restrictive approach for a 30-day temporary access requirement.
Exam trap
Google Cloud often tests the distinction between project-level and resource-level IAM policies, and the trap here is that candidates choose project-level IAM (Option B) thinking it's simpler, but they overlook that it grants access to all buckets in the project, violating the principle of least privilege.
How to eliminate wrong answers
Option A is wrong because bucket ACLs are legacy and do not support IAM conditions for time-bound access; they also lack the granularity of IAM roles and are not recommended for new configurations. Option B is wrong because adding the contractor to the project-level IAM policy grants read access to all storage buckets in the project, which violates the 'as restrictive as possible' requirement and exposes other sensitive data. Option D is wrong because signed URLs provide temporary access to specific objects, not the entire bucket, and managing them for all objects over 30 days is impractical and insecure for ongoing bucket-level access.