GCP ACEFree Google Associate Cloud Engineer practice test

Correct answer: B. Create a dedicated service account, grant it the roles/storage.objectViewer role on the specific bucket, and configure Cloud Run to use that service account.

Creating a dedicated service account and granting it roles/storage.objectViewer scoped to the specific bucket follows least privilege — the service only gets read access to exactly what it needs. Granting Project Editor (A) is far too broad and violates least privilege. Using the default Compute Engine service account with storage.admin at project level (C) is overly permissive and shares the identity across all workloads. Making the bucket public (D) removes authentication entirely, exposing data to the internet.

Correct answer: B. Assign roles/cloudfunctions.developer to deployment users and roles/iam.securityAdmin to policy administrators as separate role bindings on separate principals.

roles/cloudfunctions.developer grants permission to deploy Cloud Functions without IAM modification rights, while roles/iam.securityAdmin allows IAM policy management without deployment rights. Binding these to separate principals enforces separation of duties. Granting roles/owner (A) to everyone eliminates any separation. roles/editor (C) does not include IAM setIamPolicy permissions, making it an incomplete fit for policy administrators. Creating a combined custom role (D) assigned to one account defeats separation of duties entirely.

Correct answer: B. Annotate the Kubernetes ServiceAccount with the IAM service account email and bind the Kubernetes ServiceAccount to the IAM service account using roles/iam.workloadIdentityUser.

Workload Identity on GKE works by annotating a Kubernetes ServiceAccount with the IAM service account email and granting that KSA the roles/iam.workloadIdentityUser role on the IAM service account. This allows pods to impersonate the IAM service account and obtain short-lived tokens without any key files. Mounting a JSON key (A) is the pattern Workload Identity is specifically designed to replace, as long-lived keys are a security risk. Granting permissions to the node pool service account (C) shares identity across all pods on those nodes, violating least privilege. Setting GOOGLE_APPLICATION_CREDENTIALS to a secrets path (D) still requires a key file to exist and does not leverage Workload Identity.

Correct answer: B. Configure Workload Identity Federation with an OIDC provider so the pipeline can exchange its identity provider token for a short-lived Google access token.

Workload Identity Federation allows external workloads to authenticate to Google Cloud by exchanging a trusted OIDC (or SAML) token from their identity provider for short-lived Google credentials, eliminating the need for service account keys. Storing a service account key JSON in a CI/CD secret manager (A) relies on a long-lived credential that can be leaked or rotated improperly. Granting allAuthenticatedUsers (C) opens access to any authenticated Google account, not just your pipeline. Sharing a project owner API key (D) provides grossly over-privileged, unaudited access.

Correct answer: B. At the specific folder, binding roles/viewer to the contractor's identity.

IAM bindings are inherited downward in the resource hierarchy. Binding roles/viewer at the folder level grants read access to all projects and resources inside that folder only, which exactly matches the requirement. Binding at the organization node (A) would grant access to all folders, and Deny policies are more complex to manage correctly than simply binding at the right level. Binding at each project individually (C) works but is operationally cumbersome and error-prone compared to a single folder-level binding. Binding at the billing account (D) controls billing access, not resource configuration visibility.

Correct answer: C. gcloud auth print-access-token --impersonate-service-account=TARGET_SA

gcloud auth print-access-token --impersonate-service-account generates a short-lived access token that allows the caller to act as the specified service account without creating persistent keys. The caller must hold roles/iam.serviceAccountTokenCreator on the target service account. Creating a key file (A) generates a long-lived credential, the opposite of what is needed. Activating a service account with a key file (B) requires a pre-existing key and is a persistent auth change, not short-lived impersonation. Adding an IAM binding (D) permanently modifies permissions and does not produce a token.

Correct answer: B. roles/run.admin

roles/run.admin is a predefined role that grants full management of Cloud Run services without providing access to unrelated resources, satisfying least privilege for this scenario. roles/editor (A) is a basic role that is explicitly prohibited by the policy and provides broad write access across many services. roles/owner (C) is also a basic role and is completely prohibited; it grants billing and IAM management rights. roles/compute.admin (D) manages Compute Engine VMs and networks, not Cloud Run services.

Correct answer: C. Create a new service account with roles/cloudtranslate.user, attach it to the VM (replacing the default), and ensure the VM's access scope is set to cloud-platform.

The best practice is to create a purpose-built service account with only the necessary role (roles/cloudtranslate.user), attach it to the VM, and use the cloud-platform access scope (https://www.googleapis.com/auth/cloud-platform), which delegates authorization entirely to IAM roles rather than relying on legacy per-API access scopes. Simply adding an access scope to the default service account (A) is discouraged because the default SA is shared across all workloads on the project and relies on the legacy scope-based model. Using owner credentials in code (B) embeds highly privileged credentials and is a major security anti-pattern. Granting roles/owner to the default SA (D) is far too broad and violates least privilege.

Correct answer: B. The IAM permissions reference in the Google Cloud documentation, which lists all available permissions by service.

The official Google Cloud IAM permissions reference documents every supported permission string for every service, making it the authoritative source for building custom roles. Cloud Audit Logs (A) show which permissions were exercised historically but are not a comprehensive catalog of all available permissions. Copying permissions from roles/firestore.admin (C) would include write and delete permissions that the team explicitly wants to exclude, requiring manual pruning and risking mistakes. The API Explorer (D) is for testing API calls interactively; it does not map HTTP methods to IAM permission strings.

Correct answer: B. Disable the service account using gcloud iam service-accounts disable.

Disabling a service account immediately prevents it from authenticating and generating new tokens, effectively revoking access without deleting the account or its role bindings. The account can be re-enabled once the incident is resolved and the cause is remediated. Removing all IAM bindings (A) stops what the SA is authorized to do but does not prevent the compromised SA from obtaining tokens if it still has valid keys; it is also tedious and risks missing bindings in child resources. Rotating the key (C) only helps if the attacker obtained a key file; short-lived tokens already issued remain valid for up to one hour, and impersonation paths are unaffected. Deleting and recreating the account (D) is irreversible — service account emails cannot be reused once deleted.