Study Google Cloud ACE IAM Policies and Roles: key concepts, common traps, and exam decision cues.
This lesson is about understanding what Google Cloud access actually means. ACE expects you to know when a predefined role is enough, when a custom role is justified, and how policies expose who has what access.
Predefined role: Google-maintained role with a known set of permissions for a broad job function.
Custom role: User-defined role that contains a tailored permission set when predefined roles are too broad or too narrow.
ACE wants you to separate:
Many stems are not really asking “what is IAM?” They are asking whether you can spot that the access problem is too much scope, the wrong role type, or missing policy visibility.
| If the question is mainly about… | Strongest first lane |
|---|---|
| broad job access that already matches a common Google Cloud duty | predefined role |
| an old all-powerful role that is too broad for a sensitive task | narrower predefined role or custom role |
| a permission bundle that does not fit any built-in role cleanly | custom role |
| “just make it work” admin-style access in a stem that cares about least privilege | avoid basic roles unless the stem clearly forces them |
Basic roles exist, but ACE usually treats them as a warning sign because they are so broad. If a question mentions a sensitive action and asks for minimum necessary access, the stronger answer is usually a narrower predefined role or a custom role.
| Scope question | Why it matters |
|---|---|
| organization or folder? | inheritance can grant far more than the local team intended |
| project? | many operator tasks live here, and overgranting here is common |
| individual resource? | this is often the safer answer when the task is narrow |
| existing policy already grants access? | always inspect before creating more bindings |
ACE repeatedly rewards candidates who check the scope of the binding before changing the kind of role. A good role bound too high is still too much access.
Use a custom role when:
Do not reach for a custom role first when a clean predefined role already fits. ACE is not testing whether you can over-engineer IAM.
| Trap | Better reading |
|---|---|
| “A predefined role is broad, so custom role is always better.” | Custom roles are justified only when the built-in roles do not fit the least-privilege target cleanly. |
| “The role looks right, so the access must be correct.” | The same role can still be too broad if it is granted at the wrong scope. |
| “Basic roles are fine for speed.” | On ACE, basic roles usually signal avoidable overgranting. |
| “If access fails, create a new role immediately.” | First inspect the current IAM policy and the resource hierarchy. |
A team member needs to restart one production service in a single project. The existing predefined roles are either too broad or also grant access to unrelated resources. Which lane is strongest first?
Owner at the folder levelCorrect answer: C. ACE prefers least-privilege access at the narrowest workable scope. The point of the question is not just the role type. It is the combination of permission fit and binding scope.