Google Cloud

Free ACE - Associate Cloud Engineer Practice Questions

Test your knowledge with 10 free sample practice questions for the ACE - Associate Cloud Engineer certification. Each question includes a detailed explanation to help you learn.

10 Questions

No time limit

Free - No signup required

Disclaimer: These are original, AI-generated practice questions created by ProctorPulse for exam preparation purposes. They are not sourced from any official exam and are not affiliated with or endorsed by Google Cloud. Use them as a study aid alongside official preparation materials.

Question 1: Your organization runs a Cloud Build CI/CD pipeline in Project A that needs to deploy Compute Engine instances in Project B. You want to avoid storing service account keys in the build configuration. What authentication approach should you configure to allow the Cloud Build service account to deploy resources in Project B?

A. Grant the Cloud Build service account from Project A the serviceAccountUser role on a service account in Project B, then configure impersonation in the deployment script using the --impersonate-service-account flag (Correct Answer)
B. Create a custom IAM role in Project B that includes compute.instances.create permission and bind it directly to the Cloud Build service account from Project A
C. Enable the Service Account Credentials API in both projects and use short-lived access tokens generated through the generateAccessToken method for cross-project authentication
D. Configure a VPC Service Controls perimeter that spans both projects and grant the Cloud Build service account the iam.serviceAccountTokenCreator role in Project A

Explanation: Service account impersonation is the recommended approach for cross-project authentication without keys. By granting the Cloud Build service account the serviceAccountUser role (or iam.serviceAccountUser) on a target service account in Project B, you enable it to impersonate that account. The impersonated service account can have the necessary permissions (like compute.instanceAdmin) in Project B. The --impersonate-service-account flag in gcloud or equivalent parameters in API calls allow the pipeline to act as the target service account. Option B doesn't establish the impersonation chain needed for cross-project access. Option C describes a valid API but doesn't complete the authorization chain for impersonation. Option D misapplies VPC Service Controls and uses an incorrect role assignment that doesn't enable cross-project resource deployment.

Question 2: An organization is using a Google Cloud service account for a data processing application. The application only needs to read data from a specific Cloud Storage bucket. How should you configure the IAM policy for the service account to follow the principle of least privilege?

A. Grant the service account the 'Storage Object Viewer' role on the specific bucket. (Correct Answer)
B. Assign the 'Storage Admin' role to the service account at the project level.
C. Add the 'Storage Object Creator' role to the service account on the bucket.
D. Provide the service account with the 'Storage Legacy Bucket Reader' role on the bucket.

Explanation: To follow the principle of least privilege, you should grant the service account only the permissions it needs to perform its task. The 'Storage Object Viewer' role allows read-only access to objects in a bucket, which is suitable for reading data. Assigning broader roles like 'Storage Admin' gives more permissions than necessary, violating the principle of least privilege.

Question 3: What approach should the team adopt to authenticate the Cloud Function during local testing while maintaining security best practices?

A. Generate a service account key file, store it in the project repository with restricted file permissions, and reference it using the GOOGLE_APPLICATION_CREDENTIALS environment variable during local execution
B. Create a service account key file, store it outside the project directory in a secure location on each developer's workstation, set GOOGLE_APPLICATION_CREDENTIALS to its path, and add the key filename pattern to .gitignore
C. Use the gcloud auth application-default login command on each developer workstation to obtain user credentials, then impersonate the service account programmatically within the Cloud Function code during local testing (Correct Answer)
D. Extract the service account's private key from Cloud Console, encrypt it using a team-shared passphrase, commit the encrypted file to the repository, and decrypt it during local function initialization

Explanation: For local development testing of code that will run under a service account in production, the recommended secure approach is to use Application Default Credentials (ADC) with service account impersonation. Developers authenticate using their own credentials via 'gcloud auth application-default login', then the code can impersonate the target service account during local testing. This approach avoids creating and distributing service account keys, which pose security risks if exposed or committed to version control. Option A and D both involve committing sensitive credentials to repositories, which violates security best practices even with encryption or permission restrictions. Option B is better than A or D since it keeps keys out of repositories, but still requires managing long-lived key files on multiple workstations, increasing the attack surface. Service account keys should be avoided when alternatives like impersonation exist. The impersonation approach (Option C) provides separation of duties, audit trails, and eliminates the need to manage static credentials while still allowing developers to test service account permissions locally.

Question 4: A new application needs to access data stored in a cloud storage bucket. You have created a service account for this application. Which role should you assign to the service account to ensure it can read data from the bucket without granting unnecessary permissions?

A. Storage Viewer
B. Storage Admin
C. Storage Object Creator
D. Storage Object Viewer (Correct Answer)

Explanation: The 'Storage Object Viewer' role allows the service account to read data from the storage bucket, adhering to the principle of least privilege by not granting permissions to modify or delete data. This ensures the service account has only the permissions necessary to fulfill its purpose.

Question 5: After reviewing the access logs, which sequence of actions would establish the minimum required permissions for this service account while maintaining operational continuity?

A. Use Policy Analyzer to identify accessed APIs over 90 days, create a custom role with only those permissions, bind the custom role to the service account, remove the Owner role, then monitor for access denied errors over 2 weeks (Correct Answer)
B. Create a custom role with predefined roles Editor and Viewer combined, apply it to the service account, remove Owner role immediately, then use Policy Troubleshooter to verify all operations succeed
C. Export Cloud Audit Logs to BigQuery, query for service account activity, manually map each API call to IAM permissions, create a custom role, test in a development project, then apply to production
D. Enable Policy Intelligence recommendations, wait 90 days for machine learning analysis, apply the auto-generated custom role suggestions, remove Owner role, then use Access Transparency logs to confirm no permission gaps

Explanation: This scenario tests the ability to properly audit service account permissions and implement least privilege. Option A correctly uses Policy Analyzer (part of Policy Intelligence) to review actual resource access patterns over the specified 90-day period, creates a custom role containing only the permissions that were actually used, applies it while removing the excessive Owner role, and includes a monitoring period to catch any missed permissions before finalizing the change. This represents the proper workflow for right-sizing service account permissions. Option B incorrectly combines predefined roles (Editor and Viewer) into a custom role, which defeats the purpose of creating minimal permissions and still grants excessive access. Predefined roles should be used as-is or permissions should be individually selected. Option C describes a manual approach that could work but is unnecessarily complex and error-prone. While exporting to BigQuery and querying is possible, Policy Analyzer provides this analysis directly without requiring manual API-to-permission mapping, making this approach inefficient. Option D misunderstands Policy Intelligence features. While recommendations exist, they don't require a separate 90-day wait (the analysis uses existing data), and Access Transparency logs are designed for tracking Google personnel access to customer data, not for validating service account permissions. Policy Troubleshooter or continued monitoring of audit logs would be appropriate for verification. The key competency here is understanding how to audit service account usage patterns and translate them into minimal custom roles, which is essential for maintaining security in Google Cloud environments.

Question 6: What is the primary purpose of a service account in a cloud project?

A. To manage billing and invoicing for the project.
B. To provide authentication for applications and services. (Correct Answer)
C. To store and manage large datasets securely.
D. To facilitate communication between team members.

Explanation: A service account is a special type of account in cloud projects used to authenticate applications and services, allowing them to access and interact with other resources securely without human intervention. This setup is crucial for maintaining security and operational efficiency in automated environments.

Question 7: A service account is unable to access a certain cloud storage bucket, despite being configured with a role that should allow access. What would be the most effective step to diagnose the issue?

A. Check if the service account has the correct role assigned at the project level.
B. Review the bucket's IAM policy to ensure the service account is explicitly granted access. (Correct Answer)
C. Verify if the service account's key has been revoked or expired.
D. Inspect the project's organization policy for any restrictions affecting the service account.

Explanation: In diagnosing permission issues with a service account, it's crucial to examine the IAM policy of the specific resource in question. Even if a role is assigned at the project level, it may not be sufficient if the resource has its own restrictive policies. Reviewing the bucket's IAM policy can reveal if the service account is explicitly denied or if additional permissions are required.

Question 8: Your team has deployed a data processing application on a Compute Engine instance that needs to retrieve log files stored in a Cloud Storage bucket. What approach should you use to enable the application to authenticate and access the bucket contents?

A. Create a service account with Storage Object Viewer role, attach it to the Compute Engine instance, and configure the application to use Application Default Credentials (Correct Answer)
B. Generate a service account key file, store it in the instance's home directory, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable to its path
C. Create an IAM user account with bucket access permissions and embed the username and password directly in the application code
D. Enable public access on the Cloud Storage bucket and configure the application to read objects without authentication

Explanation: Attaching a service account to a Compute Engine instance is the most secure method for application authentication in GCP. When you attach a service account with appropriate IAM permissions (like Storage Object Viewer for read access), the instance's metadata server provides temporary credentials automatically. Applications using Google Cloud client libraries can authenticate via Application Default Credentials (ADC), which automatically discovers and uses the attached service account without requiring key files. Option B is less secure because downloading and storing service account keys creates a credential management burden and increases the risk of key exposure. Option C violates security best practices by using user credentials instead of service accounts and hardcoding credentials. Option D eliminates security controls entirely by making the bucket publicly accessible, which is inappropriate for application-specific access requirements.

Question 9: (Select all that apply) You are configuring access for three containerized microservices deployed on Google Kubernetes Engine. Service A handles user analytics and writes to BigQuery datasets. Service B processes messages from Pub/Sub and stores summaries in Cloud SQL. Service C reads from BigQuery for reporting purposes only. Which configurations properly implement least privilege access control?

A. Create three separate service accounts: grant Service A's account BigQuery Data Editor on specific datasets, grant Service B's account Pub/Sub Subscriber and Cloud SQL Client roles, grant Service C's account BigQuery Data Viewer on required datasets (Correct Answer)
B. Create three separate service accounts with identical permissions including BigQuery Admin, Pub/Sub Admin, and Cloud SQL Admin to ensure all services can perform their functions without access errors
C. Create a single service account with BigQuery Data Editor, Pub/Sub Subscriber, and Cloud SQL Client roles, then configure all three microservices to use this shared service account for simplified management
D. Create three separate service accounts: grant Service A's account roles/bigquery.dataEditor at the dataset level, grant Service B's account roles/pubsub.subscriber on specific subscriptions and roles/cloudsql.client, grant Service C's account roles/bigquery.dataViewer at the dataset level (Correct Answer)

Explanation: Least privilege access control requires each service to have only the permissions necessary for its specific function. Options A and D both correctly implement this principle by creating separate service accounts for each microservice with narrowly scoped permissions. Service A needs write access to BigQuery (Data Editor), Service B needs read access to Pub/Sub (Subscriber) and connection access to Cloud SQL (Client), and Service C needs only read access to BigQuery (Data Viewer). Option B violates least privilege by granting excessive Admin-level permissions. Option C violates the principle by using a shared service account, which grants each service unnecessary permissions for other services' functions and creates a security risk if any service is compromised. Best practice involves creating individual service accounts per workload and granting only required IAM roles at the most restrictive scope (dataset-level, subscription-level) rather than project-wide permissions.

Question 10: What should you configure to allow a team member to temporarily access a cloud resource using service account impersonation?

A. Grant the user the 'Service Account User' role on the service account and configure time-based access. (Correct Answer)
B. Share the service account key file with the user for a limited period.
C. Add the user to a group with the necessary IAM roles for the required access.
D. Create a custom role with service account impersonation permissions and assign it to the user.

Explanation: To allow a user to temporarily access resources using service account impersonation, you should assign them the 'Service Account User' role on the specific service account. This role allows the user to act as the service account, gaining access to resources without sharing credentials directly. Implementing time-based access further enhances security by limiting the access duration.

Question 1Medium

Your organization runs a Cloud Build CI/CD pipeline in Project A that needs to deploy Compute Engine instances in Project B. You want to avoid storing service account keys in the build configuration. What authentication approach should you configure to allow the Cloud Build service account to deploy resources in Project B?

AGrant the Cloud Build service account from Project A the serviceAccountUser role on a service account in Project B, then configure impersonation in the deployment script using the --impersonate-service-account flag

BCreate a custom IAM role in Project B that includes compute.instances.create permission and bind it directly to the Cloud Build service account from Project A

CEnable the Service Account Credentials API in both projects and use short-lived access tokens generated through the generateAccessToken method for cross-project authentication

DConfigure a VPC Service Controls perimeter that spans both projects and grant the Cloud Build service account the iam.serviceAccountTokenCreator role in Project A

Question 2Medium

An organization is using a Google Cloud service account for a data processing application. The application only needs to read data from a specific Cloud Storage bucket. How should you configure the IAM policy for the service account to follow the principle of least privilege?

AGrant the service account the 'Storage Object Viewer' role on the specific bucket.

BAssign the 'Storage Admin' role to the service account at the project level.

CAdd the 'Storage Object Creator' role to the service account on the bucket.

DProvide the service account with the 'Storage Legacy Bucket Reader' role on the bucket.

Question 3Medium

What approach should the team adopt to authenticate the Cloud Function during local testing while maintaining security best practices?

AGenerate a service account key file, store it in the project repository with restricted file permissions, and reference it using the GOOGLE_APPLICATION_CREDENTIALS environment variable during local execution

BCreate a service account key file, store it outside the project directory in a secure location on each developer's workstation, set GOOGLE_APPLICATION_CREDENTIALS to its path, and add the key filename pattern to .gitignore

CUse the gcloud auth application-default login command on each developer workstation to obtain user credentials, then impersonate the service account programmatically within the Cloud Function code during local testing

DExtract the service account's private key from Cloud Console, encrypt it using a team-shared passphrase, commit the encrypted file to the repository, and decrypt it during local function initialization

Question 4Easy

A new application needs to access data stored in a cloud storage bucket. You have created a service account for this application. Which role should you assign to the service account to ensure it can read data from the bucket without granting unnecessary permissions?

AStorage Viewer

BStorage Admin

CStorage Object Creator

DStorage Object Viewer

Question 5Hard

After reviewing the access logs, which sequence of actions would establish the minimum required permissions for this service account while maintaining operational continuity?

AUse Policy Analyzer to identify accessed APIs over 90 days, create a custom role with only those permissions, bind the custom role to the service account, remove the Owner role, then monitor for access denied errors over 2 weeks

BCreate a custom role with predefined roles Editor and Viewer combined, apply it to the service account, remove Owner role immediately, then use Policy Troubleshooter to verify all operations succeed

CExport Cloud Audit Logs to BigQuery, query for service account activity, manually map each API call to IAM permissions, create a custom role, test in a development project, then apply to production

DEnable Policy Intelligence recommendations, wait 90 days for machine learning analysis, apply the auto-generated custom role suggestions, remove Owner role, then use Access Transparency logs to confirm no permission gaps

Question 6Easy

What is the primary purpose of a service account in a cloud project?

ATo manage billing and invoicing for the project.

BTo provide authentication for applications and services.

CTo store and manage large datasets securely.

DTo facilitate communication between team members.

Question 7Hard

A service account is unable to access a certain cloud storage bucket, despite being configured with a role that should allow access. What would be the most effective step to diagnose the issue?

ACheck if the service account has the correct role assigned at the project level.

BReview the bucket's IAM policy to ensure the service account is explicitly granted access.

CVerify if the service account's key has been revoked or expired.

DInspect the project's organization policy for any restrictions affecting the service account.

Question 8Easy

Your team has deployed a data processing application on a Compute Engine instance that needs to retrieve log files stored in a Cloud Storage bucket. What approach should you use to enable the application to authenticate and access the bucket contents?

ACreate a service account with Storage Object Viewer role, attach it to the Compute Engine instance, and configure the application to use Application Default Credentials

BGenerate a service account key file, store it in the instance's home directory, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable to its path

CCreate an IAM user account with bucket access permissions and embed the username and password directly in the application code

DEnable public access on the Cloud Storage bucket and configure the application to read objects without authentication

Question 9Medium

(Select all that apply) You are configuring access for three containerized microservices deployed on Google Kubernetes Engine. Service A handles user analytics and writes to BigQuery datasets. Service B processes messages from Pub/Sub and stores summaries in Cloud SQL. Service C reads from BigQuery for reporting purposes only. Which configurations properly implement least privilege access control?

(Select all that apply)

ACreate three separate service accounts: grant Service A's account BigQuery Data Editor on specific datasets, grant Service B's account Pub/Sub Subscriber and Cloud SQL Client roles, grant Service C's account BigQuery Data Viewer on required datasets

BCreate three separate service accounts with identical permissions including BigQuery Admin, Pub/Sub Admin, and Cloud SQL Admin to ensure all services can perform their functions without access errors

CCreate a single service account with BigQuery Data Editor, Pub/Sub Subscriber, and Cloud SQL Client roles, then configure all three microservices to use this shared service account for simplified management

DCreate three separate service accounts: grant Service A's account roles/bigquery.dataEditor at the dataset level, grant Service B's account roles/pubsub.subscriber on specific subscriptions and roles/cloudsql.client, grant Service C's account roles/bigquery.dataViewer at the dataset level

Question 10Medium

What should you configure to allow a team member to temporarily access a cloud resource using service account impersonation?

AGrant the user the 'Service Account User' role on the service account and configure time-based access.

BShare the service account key file with the user for a limited period.

CAdd the user to a group with the necessary IAM roles for the required access.

DCreate a custom role with service account impersonation permissions and assign it to the user.

Ready for More?

These 10 questions are just a preview. Create a free account to practice up to 3 topics with 50 questions per day — or upgrade to Pro for unlimited access.

Ready to Pass the ACE - Associate Cloud Engineer?

Join thousands of professionals preparing for their ACE - Associate Cloud Engineer certification with ProctorPulse. AI-generated questions, detailed explanations, and progress tracking.