Understanding IAM role types is one thing. Knowing which specific predefined roles to reach for in a given scenario is what the Associate Cloud Engineer exam actually tests. When a question describes a data analyst who needs to run BigQuery queries but not modify data, you need to know the exact role name without guessing. This article covers the predefined roles that appear most frequently on the exam, organized by service.
BigQuery has a layered set of predefined roles that separate data access from job execution, which is worth understanding because they are not always intuitive.
BigQuery Admin (roles/bigquery.admin) grants full control over all BigQuery resources in the project. Use this for administrators who manage datasets, jobs, and access control.
BigQuery Data Editor (roles/bigquery.dataEditor) allows creating, updating, and deleting tables and datasets, but does not allow running queries. A user with only this role cannot execute a SELECT statement.
BigQuery Data Viewer (roles/bigquery.dataViewer) allows reading tables and metadata. Again, does not include the ability to run queries on its own.
BigQuery Job User (roles/bigquery.jobUser) allows creating and running BigQuery jobs, including queries. This is what makes queries actually execute.
The exam tests the combination requirement. A data analyst who needs to run queries against a dataset typically needs both BigQuery Data Viewer (to read the data) and BigQuery Job User (to run the query job). Giving them only one of the two is a common wrong answer. BigQuery Data Owner adds the ability to manage access control on datasets.
Storage Admin (roles/storage.admin) grants full control over buckets and objects. Use this for administrators who need to create buckets, set lifecycle rules, and manage access.
Storage Object Admin (roles/storage.objectAdmin) grants full control over objects within existing buckets, but not the ability to create or delete buckets. This is appropriate for applications that read and write objects but should not be able to alter bucket configuration.
Storage Object Creator (roles/storage.objectCreator) allows creating new objects in a bucket but not reading or deleting existing objects. Useful for write-only pipelines where you want to prevent data from being read or overwritten by the writing application.
Storage Object Viewer (roles/storage.objectViewer) allows reading objects and listing bucket contents. Use this for applications or users that need read access without any write capability.
The exam tests these roles in scenarios involving the principle of least privilege. A Cloud Function that only writes processed results to a bucket should have Storage Object Creator, not Storage Object Admin or Storage Admin.
Compute Admin (roles/compute.admin) grants full control over all Compute Engine resources. Use this for administrators who manage VMs, networks, disks, and firewall rules.
Compute Instance Admin (roles/compute.instanceAdmin) grants control over VM instances but not networking or firewall configuration. This is appropriate for developers who need to start, stop, and configure VMs but should not be modifying network settings.
Compute Viewer (roles/compute.viewer) grants read-only access to Compute Engine resources. Use this for monitoring teams or auditors who need visibility without modification rights.
Service Account Admin (roles/iam.serviceAccountAdmin) allows creating, deleting, and managing service accounts. Use this for platform administrators responsible for service account lifecycle.
Service Account User (roles/iam.serviceAccountUser) allows attaching a service account to a resource (like a VM or Cloud Run service) without the ability to manage the service account itself. This is the role a developer needs when deploying to a service that runs as a specific service account.
The exam tests the Service Account User role specifically in deployment scenarios. A developer with Cloud Run Developer cannot deploy a service that runs as a specific service account unless they also have Service Account User on that service account.
Logging Admin (roles/logging.admin) grants full control over Cloud Logging, including creating log sinks, excluding logs, and managing log buckets. Operations teams responsible for log routing and retention need this role.
Logs Viewer (roles/logging.viewer) grants read access to logs. Use this for developers or security teams who need to read logs but should not modify log configurations.
Monitoring Admin (roles/monitoring.admin) grants full control over Cloud Monitoring, including creating alerting policies, dashboards, and notification channels.
Monitoring Viewer (roles/monitoring.viewer) grants read-only access to monitoring data and dashboards. Use this for stakeholders who need visibility into metrics without the ability to change alert configurations.
Cloud Run Admin (roles/run.admin) grants full control over Cloud Run services, including deploying, updating, and deleting services and configuring IAM on them. Use this for platform engineers responsible for managing Cloud Run infrastructure.
Cloud Run Developer (roles/run.developer) allows deploying and updating Cloud Run services but does not include the ability to manage IAM on services. This is appropriate for developers who deploy their own services but should not control who can invoke or administer those services.
Cloud Run Invoker (roles/run.invoker) allows calling Cloud Run services that require authentication. When a Cloud Run service is not set to allow unauthenticated invocations, any caller — whether a user, a service account, or another service — needs this role to invoke it. The exam tests this role in scenarios where a service-to-service call is failing despite both services existing and being deployed.
For GKE, Kubernetes Engine Admin (roles/container.admin) grants full control over GKE clusters and Kubernetes resources within them. Kubernetes Engine Developer (roles/container.developer) grants access to Kubernetes resources within clusters but not the ability to create or delete clusters themselves. Kubernetes Engine Cluster Admin (roles/container.clusterAdmin) provides control over cluster configuration without access to Kubernetes resources running inside the cluster.
The Cloud Run Invoker role is one of the most tested GCP IAM details on the exam. Questions typically describe a Cloud Run service that returns a 403 error when called by another service or by a user, and the answer involves granting the Cloud Run Invoker role to the calling identity.
My Associate Cloud Engineer course covers these roles in the context of realistic exam scenarios, so you can recognize the right predefined role from a description of what someone needs to accomplish rather than memorizing role names in isolation.
