PROFESSIONAL-CLOUD-DEVELOPER · Question #140
Your team is developing an application in Google Cloud that executes with user identities maintained by Cloud Identity. Each of your application's users will have an associated Pub/Sub topic to which
The correct answer is A. Bind the user identity to the pubsub.publisher and pubsub.subscriber roles at the resource level.. IAM bindings can be applied at the resource level (individual Pub/Sub topic or subscription) rather than at the project level. By binding each user's Cloud Identity to the pubsub.publisher role on their specific topic and the pubsub.subscriber role on their specific subscription,
Question
Your team is developing an application in Google Cloud that executes with user identities maintained by Cloud Identity. Each of your application's users will have an associated Pub/Sub topic to which messages are published, and a Pub/Sub subscription where the same user will retrieve published messages. You need to ensure that only authorized users can publish and subscribe to their own specific Pub/Sub topic and subscription. What should you do?
Exhibit
Options
- ABind the user identity to the pubsub.publisher and pubsub.subscriber roles at the resource level.
- BGrant the user identity the pubsub.publisher and pubsub.subscriber roles at the project level.
- CGrant the user identity a custom role that contains the pubsub.topics.create and
- DConfigure the application to run as a service account that has the pubsub.publisher and
How the community answered
(37 responses)- A73% (27)
- B5% (2)
- C5% (2)
- D16% (6)
Explanation
IAM bindings can be applied at the resource level (individual Pub/Sub topic or subscription) rather than at the project level. By binding each user's Cloud Identity to the pubsub.publisher role on their specific topic and the pubsub.subscriber role on their specific subscription, you ensure that each user can only interact with their own resources. Option B (project-level roles) would grant the user publish/subscribe permissions on every topic and subscription in the project-a violation of least privilege. Option C (custom role with pubsub.topics.create) grants the ability to create new topics, which is unnecessary and excessive; the resources already exist per user. Option D (single service account for the application) means all users share one identity, so there is no way to enforce per-user resource isolation-any user running through that service account could access any other user's topic or subscription.
Topics
Community Discussion
No community discussion yet for this question.
