Exam Professional Cloud Network Engineer topic 1 question 30 discussion

Correct Answer are (D) & (E) GetIamPolicy and SetIamPolicy is only for service accounts. But question asks for a project members. Hence, D and E are correct ans. D - https://cloud.google.com/iam/docs/granting-changing-revoking-access#granting-gcloud-manual E - https://cloud.google.com/iam/docs/granting-changing-revoking-access#access-control-via-console

A) GetIamPolicy() would not do anything by itself but see (B) B) would require use of GetIamPolicy() as otherwise SetIamPolicy() override existing binding C) obviously wrong, question is not about pubsub D) the documentation indicate that project_id need to be used not project_name, would therefore return an error E) would work, despite being very vague, but is not automation. Now, the question ask for "which 2 _methods_ can be used to achieve that". Both GetIamPolicy() and SetIamPolicy() are programatic _methods_ that if used together could achieve that. Therefore one could roll with A&B in the spirits of that very tricky question.

The correct options are BD. Reason: B. setIamPolicy() via REST API: You can use the setIamPolicy() method via the REST API to update the IAM policy of a project, granting roles programmatically. This allows automation and scripting, aligning with your goal of minimizing manual management. D. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor: The gcloud command-line tool is a common method to manage IAM roles for projects. This command allows you to grant the roles/editor role to a user, making it suitable for automation and scripting within a project.

Both methods can be used to grant the editor role to a project member using scripting and automation. The setIamPolicy() method via REST API can be used to set the IAM policy for a project. The IAM policy is a JSON document that specifies the roles and members that have access to the project. To grant the editor role to a project member, you can use the following JSON document: { "bindings": [ { "role": "roles/editor", "members": [ "user:Susername" ] } ] } The gcloud projects add-iam-policy-binding command can be used to add a binding to the IAM policy for a project. A binding is a pair of a role and a member. To grant the editor role to a project member, you can use the following command: gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

D and B.

B) https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy D) https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding

BD are correct. Scripting and Automation!

Keywords: scripting and automation + the word "methods" search for the word "method" in the below documentation and see where it's mentioned :) https://cloud.google.com/iam/docs/granting-changing-revoking-access#multiple-roles-programmatic

Option D is correct because it uses the gcloud command-line tool to add an IAM policy binding to a project. This command adds a new IAM policy binding to a project, granting the specified user the editor role. Option E is correct because it describes the process of using the GCP Console to grant the editor role to a project member. This can be done by entering the member's email address in the Add members field and selecting the editor role from the drop-down menu.

B & D are correct. B. setIamPolicy() via REST API - This method updates the IAM policy for a resource, such as a project, and allows you to add or modify members and their roles. D. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor - This method uses the gcloud command-line tool to add an IAM policy binding for a specific project and member. Option A is not sufficient because getIamPolicy() only retrieves the current IAM policy for a resource, but does not allow for modifying it. Option C is not sufficient because it is a command for Pub/Sub, not for managing IAM policies for projects. Option E is not sufficient because it requires manual interaction with the GCP Console, and cannot be easily scripted or automated.

I think BD are the correct ones by elimination: A. GetIamPolicy() - read only method and BTW with a typo (should be getIAmPolicy but I guess that's not the intenional mistake) B. setIamPolicy() via REST API - does the job! C. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor - nothing to do because points to pubsub D. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor - does the job! E. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console. - no automation option

two methods for set permissions

A. GetIamPolicy() via REST API B. setIamPolicy() via REST API

I go for AB because of EranSolstice explanaition seems correct to me, see https://cloud.google.com/iam/docs/granting-changing-revoking-access#multiple-roles No idea why people vote for E - this is not automation at all.

I think D&E is correct answer

I'd vote A and B as @EranSolstice says, because of the following exceprt from here https://cloud.google.com/iam/docs/granting-changing-revoking-access#multiple-roles To make large-scale access changes that involve granting and revoking MULTIPLE roles, use the read-modify-write pattern to update the resource's IAM policy: Reading the current policy by calling getIamPolicy(). Editing the returned policy, either by using a text editor or programmatically, to add or remove any principals or role bindings. Writing the updated policy by calling setIamPolicy().

I'd vote A and B as @EranSolstice says, because of the following exceprt from here https://cloud.google.com/iam/docs/granting-changing-revoking-access#multiple-roles To make large-scale access changes that involve granting and revoking MULTIPLE roles, use the read-modify-write pattern to update the resource's IAM policy: Reading the current policy by calling getIamPolicy(). Editing the returned policy, either by using a text editor or programmatically, to add or remove any principals or role bindings. Writing the updated policy by calling setIamPolicy().