Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?
To enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet, the appropriate role to grant is the Compute Network User Role at the subnet level. This role allows users to use the specified subnet while ensuring they do not have broader access to other network resources or subnets. It provides the minimum necessary permissions to meet the requirement, aligning with the principle of least privilege.
The correct answer is B. https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins
B) Compute Network User Role at the subnet level. The key points: In a Shared VPC, the subnets are configured in the host project. To allow another project to use a specific subnet, grant the Compute Network User role on that subnet. The Compute Shared VPC Admin role allows full administration, which is more privileged than needed. The Compute Network User role at the project level allows accessing all subnets, not just 10.1.1.0/24. So granting the Compute Network User role specifically on the 10.1.1.0/24 subnet gives targeted access to only that subnet, meeting the requirement. The subnet-level Compute Network User role provides the minimum necessary access to fulfill the need for Engineering Group A.
based on that documentation it should clearly be done at the host project level : https://cloud.google.com/compute/docs/access/iam#compute.networkUser
To enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet in a Shared VPC setup, you should follow these steps: Grant the Compute Network User role at the service project level: This will allow members of Engineering Group A to create Compute Engine instances in their respective service projects. Grant the Compute Network User role specifically on the 10.1.1.0/24 subnet: To ensure that Engineering Group A can only attach instances to the desired subnet, you should grant the Compute Network User role directly at the subnet level. This way, they have the necessary permissions for that specific subnet without impacting other subnets in the Shared VPC. Option B, "Compute Network User Role at the subnet level," is the most appropriate choice in this scenario to achieve the desired outcome.
The right one is b on my thinking, but i need to enable the other team to do the jobs, falls into D
The correct answer is b
Lowest level grant is at Project level. https://cloud.google.com/compute/docs/access/iam#compute.networkUser
Lowest level grant is at Subnet level in this option. Project level is a broad level access.
The correct answer is B. https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins
Grant network.user at subnet level: https://cloud.google.com/vpc/docs/provisioning-shared-vpc#networkuseratsubnet
Answer is A not B The least level the Compute Network User role can be assigned is at Project level and NOT subnet level. https://cloud.google.com/compute/docs/access/iam#compute.networkUser
Admin role is not required
To enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet in a Shared VPC Network where project co-vpc-prod is the host project, your team should grant Compute Network User Role at the subnet level. This will allow Engineering Group A to create and manage resources in the specified subnet while restricting them from making changes to other resources in the host project. Granting Compute Network User Role at the host project level would allow Engineering Group A to create and manage resources across all subnets in the host project, which is more than what is needed in this case. Compute Shared VPC Admin Role at either the host or service project level would give Engineering Group A too much control over the Shared VPC Network.
"B" seems to be the most appropriate answer. See step 4 here: https://medium.com/google-cloud/google-cloud-shared-vpc-b33e0c9dd320
The correct answer is B per least privilegd access rule
https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins
The correct answer is B - https://cloud.google.com/compute/docs/access/iam#compute.networkUser states that the lowest level it can be granted on is project however I did confirm on my own companies shared VPC that roles/compute.networkUser can be granted at the subnet level
A is right. Source: https://cloud.google.com/compute/docs/access/iam#compute.networkUser
this permission can be granted only at project level, not subnet level