Give Team Members the Ability to Export Logs in Stackdriver Logging

A.

Sure, I'd be happy to provide a detailed explanation for each answer option.

A. Grant the team members the IAM role of logging.configWriter on Cloud IAM. This answer is incorrect because the logging.configWriter role grants permissions to create and modify log-based metrics and logs-based sinks, but not to export logs. Therefore, this role does not provide the necessary permissions for team members to export logs.

B. Configure Access Context Manager to allow only these members to export logs. This answer is also incorrect because Access Context Manager provides fine-grained access control for Google Cloud resources based on attributes of the request, such as IP address or user identity. While this may be useful for restricting access to certain resources, it does not provide the necessary permissions for team members to export logs.

C. Create and grant a custom IAM role with the permissions logging.sinks.list and logging.sink.get. This answer is correct. Creating a custom IAM role with the logging.sinks.list and logging.sink.get permissions allows team members to view the list of available sinks and retrieve sink details. With these permissions, team members can export logs to a destination of their choice using the sink feature.

D. Create an Organizational Policy in Cloud IAM to allow only these members to create log exports. This answer is incorrect because an organizational policy restricts access to resources across an entire organization. It does not provide the necessary permissions for team members to export logs.

In conclusion, the correct answer is C. Create and grant a custom IAM role with the permissions logging.sinks.list and logging.sink.get. This allows team members to view available sinks and retrieve sink details, which enables them to export logs to a destination of their choice using the sink feature.