Courses
Pricing
Testimonials
FAQ
About
Get Started
btn arrow
menu openmenu open
Courses
Pricing
Testimonials
FAQ
About
Get Started
btn arrow
layer

Important gcloud IAM Commands for the PDE Exam

GCP Study Hub
619c7c8da6d7b95cf26f6f70
August 11, 2025

When I'm coaching candidates through the Professional Data Engineer exam, the IAM section trips people up less because the concepts are hard and more because the gcloud commands feel scattered. Roles live in one place, policies live on resources, and each resource type has its own slightly different way of revealing who has access. The exam likes to ask short, surgical questions about this. You read a scenario, four answer choices appear, and three of them are gcloud commands that look almost right. The trick is knowing the exact verb and the exact resource grammar.

This post walks through the gcloud IAM commands I tell every Professional Data Engineer candidate to memorize before sitting the exam. It's a narrow surface, and once you've drilled it, you'll recognize the right answer on sight.

Copying roles between projects

Custom roles are scoped to either a project or an organization. If you build a custom role in one project and need the same role in another project, you don't recreate it by hand. You copy it.

The command is gcloud iam roles copy. The pattern looks like this:

gcloud iam roles copy \
  --source projects/SOURCE_PROJECT/roles/ROLE_ID \
  --destination DESTINATION_ROLE_ID \
  --dest-project DESTINATION_PROJECT

A few things to remember. The source is a fully qualified role name, including the projects/ prefix. The destination is just the new role ID, and you tell gcloud where to put it with --dest-project. If you're copying from an organization to a project, you swap projects/ for organizations/ in the source path.

The exam will sometimes describe a team that has a vetted custom role in a sandbox project and wants the same role in production. The right answer is almost always gcloud iam roles copy, not creating a new role with the same permissions list.

Reading IAM policies on resources

This is the family of commands you have to be fluent in. The pattern is gcloud [RESOURCE] get-iam-policy, and the resource piece is where the exam tests you.

For a project:

gcloud projects get-iam-policy PROJECT_ID

For a Cloud Storage bucket:

gcloud storage buckets get-iam-policy gs://BUCKET_NAME

For a Compute Engine instance:

gcloud compute instances get-iam-policy INSTANCE_NAME --zone ZONE

Three details to lock in. First, the bucket form takes a gs:// URL, not a bare name. Second, the compute instance form requires the --zone flag, because instances are zonal resources and gcloud won't guess. Third, the project form takes a project ID, not a project number, and not the projects/ prefix you'd use in the roles copy command. Each resource family has its own conventions, and the exam likes to swap them around in distractors.

Setting IAM policies and binding members

Reading is half the story. The exam also expects you to recognize the write side. There are two patterns that come up often.

For a one-off addition of a single member to a single role on a project, the cleanest command is add-iam-policy-binding:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:alice@example.com \
  --role=roles/bigquery.dataViewer

The --member value carries a prefix that identifies the principal type. user: for an individual Google account, serviceAccount: for a service account, group: for a Google group, and domain: for a whole Workspace domain. Missing the prefix is a common reason a command fails on the exam screen.

For bulk changes, you fetch the full policy, edit the JSON, and set it back:

gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json
# edit policy.json
gcloud projects set-iam-policy PROJECT_ID policy.json

The exam doesn't make you write JSON, but it does expect you to know that set-iam-policy replaces the entire policy while add-iam-policy-binding appends a single binding. Picking the wrong one in a scenario where a coworker still needs their existing access is a classic trap.

What I'd drill before exam day

If you only have an hour to spend on gcloud IAM before walking into the Professional Data Engineer exam, here's where I'd put it.

  • Type gcloud iam roles copy from memory, including the --dest-project flag.
  • Practice the three get-iam-policy variants: projects, storage buckets with gs://, and compute instances with --zone.
  • Know that add-iam-policy-binding appends and set-iam-policy replaces.
  • Memorize the four --member prefixes: user:, serviceAccount:, group:, domain:.

That's the bulk of what the exam will throw at you on the gcloud side of IAM. The conceptual material around inheritance, role hierarchy, and least privilege still matters, but those questions are easier to reason through. The command-line questions reward muscle memory, and the surface area is small enough that an hour of focused practice in Cloud Shell will pay back the time several times over on test day.

My Professional Data Engineer course covers IAM commands, custom roles, and policy management in the depth the exam expects.

Get tips and updates from GCP Study Hub

Courses
Pricing
Testimonials
FAQ
About
© Copyright GCP Study Hub 2025
Privacy PolicyTerms of Service
arrow