Google Professional Cloud DevOps Engineer Exam Practice Test Instant Access

Question 1

Your uses Jenkins running on Google Cloud VM instances for CI/CD. You need to extend the functionality to use infrastructure as code automation by using Terraform. You must ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. You want to follow Google-recommended practices- What should you do?

AAdd the auth application-default command as a step in Jenkins before running the Terraform commands.

BCreate a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.

CConfirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.

Duse the Terraform module so that Secret Manager can retrieve credentials.

Answer : C

The correct answer is C)

Confirming that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions is the best way to ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. This follows the Google-recommended practice of using service accounts to authenticate and authorize applications running on Google Cloud1. Service accounts are associated with private keys that can be used to generate access tokens for Google Cloud APIs2. By attaching a service account to the Jenkins VM instance, Terraform can use the Application Default Credentials (ADC) strategy to automatically find and use the service account credentials3.

Answer A is incorrect because the auth application-default command is used to obtain user credentials, not service account credentials. User credentials are not recommended for applications running on Google Cloud, as they are less secure and less scalable than service account credentials1.

Answer B is incorrect because it involves downloading and copying the secret key value of the service account, which is not a secure or reliable way of managing credentials. The secret key value should be kept private and not exposed to any other system or user2. Moreover, setting the GOOGLE environment variable on the Jenkins server is not a valid way of providing credentials to Terraform. Terraform expects the credentials to be either in a file pointed by the GOOGLE_APPLICATION_CREDENTIALS environment variable, or in a provider block with the credentials argument3.

Answer D is incorrect because it involves using the Terraform module for Secret Manager, which is a service that stores and manages sensitive data such as API keys, passwords, and certificates. While Secret Manager can be used to store and retrieve credentials, it is not necessary or sufficient for authorizing the Terraform Jenkins instance. The Terraform Jenkins instance still needs a service account with the appropriate IAM permissions to access Secret Manager and other Google Cloud resources.

Question 2

You are configuring a Cl pipeline. The build step for your Cl pipeline integration testing requires access to APIs inside your private VPC network. Your security team requires that you do not expose API traffic publicly. You need to implement a solution that minimizes management overhead. What should you do?

AUse Cloud Build private pools to connect to the private VPC.

BUse Spinnaker for Google Cloud to connect to the private VPC.

CUse Cloud Build as a pipeline runner. Configure Internal HTTP(S) Load Balancing for API access.

DUse Cloud Build as a pipeline runner. Configure External HTTP(S) Load Balancing with a Google Cloud Armor policy for API access.

Answer : A

Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure1.Cloud Build can be used as a pipeline runner for your CI pipeline, which is a process that automates the integration and testing of your code2.Cloud Build private pools are private, dedicated pools of workers that offer greater customization over the build environment, including the ability to access resources in a private VPC network3. A VPC network is a virtual network that provides connectivity for your Google Cloud resources and services.By using Cloud Build private pools, you can implement a solution that minimizes management overhead, as Cloud Build private pools are hosted and fully-managed by Cloud Build and scale up and down to zero, with no infrastructure to set up, upgrade, or scale3. You can also implement a solution that meets your security requirement, as Cloud Build private pools use network peering to connect into your private VPC network and do not expose API traffic publicly.

Question 3

Your company recently migrated to Google Cloud. You need to design a fast, reliable, and repeatable solution for your company to provision new projects and basic resources in Google Cloud. What should you do?

AUse the Google Cloud console to create projects.

BWrite a script by using the gcloud CLI that passes the appropriate parameters from the request. Save the script in a Git repository.

CWrite a Terraform module and save it in your source control repository. Copy and run the apply command to create the new project.

DUse the Terraform repositories from the Cloud Foundation Toolkit. Apply the code with appropriate parameters to create the Google Cloud project and related resources.

Answer : D

Terraform is an open-source tool that allows you to define and provision infrastructure as code1.Terraform can be used to create and manage Google Cloud resources, such as projects, networks, and services2.The Cloud Foundation Toolkit is a set of open-source Terraform modules and tools that provide best practices and guidance for deploying Google Cloud infrastructure3.The Cloud Foundation Toolkit includes Terraform repositories for creating Google Cloud projects and related resources, such as IAM policies, APIs, service accounts, and billing4. By using the Terraform repositories from the Cloud Foundation Toolkit, you can design a fast, reliable, and repeatable solution for your company to provision new projects and basic resources in Google Cloud. You can also customize the Terraform code to suit your specific needs and preferences.

Question 4

You are investigating issues in your production application that runs on Google Kubernetes Engine (GKE). You determined that the source Of the issue is a recently updated container image, although the exact change in code was not identified. The deployment is currently pointing to the latest tag. You need to update your cluster to run a version of the container that functions as intended. What should you do?

ACreate a new tag called stable that points to the previously working container, and change the deployment to point to the new tag.

BApply the latest tag to the previous container image, and do a rolling update on the deployment.

CBuild a new container from a previous Git tag, and do a rolling update on the deployment to the new container.

DAlter the deployment to point to the sha2 56 digest of the previously working container.

Answer : D

Question 5

You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead. What should you do?

AUse custom versions of predefined roles to exclude all iam.serviceAccountKeys. * service account role permissions.

BApply the constraints/iam.disableserviceAccountKeycreation constraint to the organization.

CApply the constraints/iam. disableServiceAccountKeyUp10ad constraint to the organization.

DGrant the roles/ iam.serviceAccountKeyAdmin IAM role to organization administrators only.

Answer : B

The correct answer is B, Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.

According to the Google Cloud documentation, the constraints/iam.disableServiceAccountKeyCreation constraint is an organization policy constraint that prevents the creation of user-managed service account keys1. User-managed service account keys are long-lived credentials that can be downloaded as JSON or P12 files and used to authenticate as a service account2. These keys pose severe security risks if they are leaked, stolen, or misused by unauthorized entities34. By applying this constraint to the organization, you can completely eliminate the risks associated with the use of JSON service account keys and enforce a more secure alternative for authentication, such as Workload Identity or short-lived access tokens12. This also minimizes operational overhead by avoiding the need to manage, rotate, or revoke user-managed service account keys.

The other options are incorrect because they do not completely eliminate the risks associated with the use of JSON service account keys. Option A is incorrect because it only restricts the IAM permissions to create, list, get, delete, or sign service account keys, but it does not prevent existing keys from being used or leaked. Option C is incorrect because it only disables the upload of user-managed service account keys, but it does not prevent the creation or download of such keys. Option D is incorrect because it only limits the IAM role that can create and manage service account keys, but it does not prevent the keys from being distributed or exposed to unauthorized entities.

Disable user-managed service account key creation, Disable user-managed service account key creation. Service accounts, User-managed service accounts. Help keep your Google Cloud service account keys safe, Help keep your Google Cloud service account keys safe. Stop Downloading Google Cloud Service Account Keys!, Stop Downloading Google Cloud Service Account Keys! [Service Account Keys], Service Account Keys. [Disable user-managed service account key upload], Disable user-managed service account key upload. [Granting roles to service accounts], Granting roles to service accounts.

Question 6

You are configuring Cloud Logging for a new application that runs on a Compute Engine instance with a public IP address. A user-managed service account is attached to the instance. You confirmed that the necessary agents are running on the instance but you cannot see any log entries from the instance in Cloud Logging. You want to resolve the issue by following Google-recommended practices. What should you do?

Add the Logs Writer role to the service account.

Enable Private Google Access on the subnet that the instance is in.

Update the instance to use the default Compute Engine service account.

Export the service account key and configure the agents to use the key.

AAdd the Logs Writer role to the service account.
To use Cloud Logging, the service account attached to the Compute Engine instance must have the necessary permissions to write log entries. The Logs Writer role (roles/logging.logWriter) provides this permission. You can grant this role to the user-managed service account at the project, folder, or organization level1.
Private Google Access is not required for Cloud Logging, as it allows instances without external IP addresses to access Google APIs and services2. The default Compute Engine service account already has the Logs Writer role, but it is not a recommended practice to use it for user applications3. Exporting the service account key and configuring the agents to use the key is not a secure way of authenticating the service account, as it exposes the key to potential compromise4.

Answer : A

The correct answer is

1: Access control with IAM | Cloud Logging | Google Cloud

2: Private Google Access overview | VPC | Google Cloud

3: Service accounts | Compute Engine Documentation | Google Cloud

4: Best practices for securing service accounts | IAM Documentation | Google Cloud

Question 7

You work for a global organization and are running a monolithic application on Compute Engine You need to select the machine type for the application to use that optimizes CPU utilization by using the fewest number of steps You want to use historical system metncs to identify the machine type for the application to use You want to follow Google-recommended practices What should you do?

AUse the Recommender API and apply the suggested recommendations

BCreate an Agent Policy to automatically install Ops Agent in all VMs

CInstall the Ops Agent in a fleet of VMs by using the gcloud CLI

DReview the Cloud Monitoring dashboard for the VM and choose the machine type with the lowest CPU utilization

Answer : A

The best option for selecting the machine type for the application to use that optimizes CPU utilization by using the fewest number of steps is to use the Recommender API and apply the suggested recommendations. The Recommender API is a service that provides recommendations for optimizing your Google Cloud resources, such as Compute Engine instances, disks, and firewalls. You can use the Recommender API to get recommendations for changing the machine type of your Compute Engine instances based on historical system metrics, such as CPU utilization. You can also apply the suggested recommendations by using the Recommender API or Cloud Console. This way, you can optimize CPU utilization by using the most suitable machine type for your application with minimal effort.