The Professional Cloud Architect exam expects you to recognize a handful of gcloud commands for working with IAM. The list is short, but it appears often enough on practice questions that I want to walk through each one in plain terms.
If you build a custom role in one project and want the same role to exist in another project, you don't have to recreate it field by field. The gcloud iam roles copy command replicates the role for you.
gcloud iam roles copy \
--source="projects/SOURCE_PROJECT/roles/ROLE_ID" \
--destination=ROLE_ID \
--dest-project=DESTINATION_PROJECTThis is most useful when you have a set of custom roles that need to stay consistent across many projects. Build the role once, copy it everywhere, and avoid drift between environments.
The other family of commands you should recognize is get-iam-policy. This is how you ask Google Cloud who has access to a given resource and at what role. The pattern is consistent: pick the resource type, then ask for its policy.
To see every principal bound to a project and the role they hold:
gcloud projects get-iam-policy PROJECT_IDThis returns the bindings at the project resource. It does not climb the hierarchy to show inherited folder or organization bindings, so keep the resource hierarchy in mind when you read the output.
Buckets carry their own IAM policy below the project level. To inspect the bindings on a single bucket:
gcloud storage buckets get-iam-policy gs://BUCKET_NAMEYou will see this in scenarios where a team has been granted a project-wide role but a specific bucket has additional bindings layered on top.
Compute instances also support resource-level IAM. The command needs both the instance name and the zone:
gcloud compute instances get-iam-policy INSTANCE_NAME --zone=ZONEForgetting the --zone flag is the most common mistake I see. The command will not assume a default zone for you.
The Professional Cloud Architect exam will not ask you to type these commands from a blank prompt. What it tests is recognition: given a scenario where someone needs to audit access on a bucket or replicate a role across projects, you should be able to identify the correct command and the correct resource scope. Knowing that get-iam-policy is available on projects, buckets, and instances is the key takeaway. Knowing that gcloud iam roles copy exists at all is the rest of it.
My Professional Cloud Architect course covers these gcloud IAM commands alongside the rest of the IAM and governance material.
