Google Cloud Professional Cloud DevOps Engineer Practice Exam

What the Google Cloud Professional Cloud DevOps Engineer exam covers

• Bootstrapping a Cloud Development Environment103 questions
• Building Applications125 questions
• Deploying Applications130 questions
• Integrating Google Cloud Services136 questions
• Managing Deployed Applications148 questions

Free Google Cloud Professional Cloud DevOps Engineer sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 642.

1. Question 1Deploying Applications

   You must migrate a stateful on-prem service to GKE and need stable network identities and persistent storage per replica. Which Kubernetes object fits?

   • AA DaemonSet
   • BA StatefulSet with PersistentVolumeClaimsCorrect
   • CA bare Pod with emptyDir
   • DA Deployment with no volumes
   ✓ Correct answer: B

   StatefulSets in Kubernetes are specifically designed for stateful applications that require stable network identities (hostnames like pod-0, pod-1) and persistent storage per replica. Unlike Deployments, which are stateless and replaceable, StatefulSets maintain a sticky identity for each pod and provide ordered, graceful deployment and scaling. PersistentVolumeClaims bind storage to specific StatefulSet replicas, ensuring data persists across pod restarts and rescheduling. This combination directly addresses the requirement for stable network identities and persistent storage per replica needed for stateful on-premises service migrations.

   Why the other options are wrong

   • AA DaemonSet is incorrect because DaemonSets run one pod per node for cluster-wide services (like monitoring agents) and do not provide the stable identities or volume management needed for stateful replicated services.
   • CA bare Pod with emptyDir is incorrect because bare Pods have no restart guarantees, no stable network identity, and emptyDir volumes are ephemeral—data is lost when the pod terminates.
   • DA Deployment with no volumes is incorrect because Deployments are stateless and provide no stable network identities or persistent storage; they are designed for interchangeable replicas.
2. Question 2Building ApplicationsSelect all that apply

   Developers complain that the same Terraform applied by CI produces different results than when run from laptops, causing drift and failed deploys. Which TWO practices best stabilize the pipeline? (Choose TWO)

   • APin the Terraform and provider versions used by both CI and developersCorrect
   • BHave each developer keep their own local state file
   • CUse a remote shared state backend (e.g., GCS) with state locking instead of local stateCorrect
   • DLet CI auto-approve apply on any branch without a plan review
   ✓ Correct answer: A, C

   Terraform version and provider differences cause different behavior (features, bug fixes vary across versions). If CI uses Terraform 1.0 with AWS provider 4.0 but developers use Terraform 1.2 with AWS provider 5.0, the same code produces different results. Pinning versions (in a .terraform-version file or CI configuration) ensures consistency. State differences are another major cause: if developers store state locally and CI stores state in a remote backend (GCS), they operate on different state files and can create conflicts or drift. A shared, remote state backend with locking (Terraform applies locks to prevent concurrent modifications) ensures all apply operations are consistent and serialized. Together, these fixes address environment differences and state conflicts.

   Why the other options are wrong

   • BHave each developer keep their own local state file is incorrect because local state files are not shared; different developers working on the same infrastructure create separate, divergent states.
   • DLet CI auto-approve apply on any branch without a plan review is incorrect because skipping plan review hides differences and allows bad changes to be applied.
3. Question 3Integrating Google Cloud Services

   A Cloud Run service must call BigQuery. Which identity approach is most secure?

   • AUse the default Compute Engine service account with Editor
   • BAttach a dedicated service account with only the BigQuery roles it needsCorrect
   • CAuthenticate as a developer's user account
   • DEmbed a downloaded JSON key in the container image
   ✓ Correct answer: B

   Question 271 tests key GCP Integrating Google Cloud Services concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • AUse the default Compute Engine service account with Editor is incorrect because it does not align with the scenario requirements or GCP best practices.
   • CAuthenticate as a developer's user account is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DEmbed a downloaded JSON key in the container image is incorrect because it does not align with the scenario requirements or GCP best practices.
4. Question 4Deploying Applications

   Which GKE feature lets you map a Kubernetes service account to a Google service account for fine-grained API access?

   • ASharing the node's default service account key
   • BWorkload Identity Federation for GKECorrect
   • CNode-level metadata server access for all pods
   • DPod hostNetwork mode
   ✓ Correct answer: B

   Question 293 tests key GCP Deploying Applications concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • ASharing the node's default service account key is incorrect because it does not align with the scenario requirements or GCP best practices.
   • CNode-level metadata server access for all pods is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DPod hostNetwork mode is incorrect because it does not align with the scenario requirements or GCP best practices.
5. Question 5Bootstrapping a Cloud Development Environment

   An SRE wants AI help understanding why a Google Cloud deployment is behaving oddly, asking natural-language questions about resource configuration, costs, and recommendations directly from the Google Cloud console. Which capability is designed for operating and troubleshooting cloud environments?

   • AGemini Cloud AssistCorrect
   • BGemini Code Assist in the IDE
   • CCloud Shell history search
   • DThe gcloud feedback command
   ✓ Correct answer: A

   Question 316 tests key GCP Bootstrapping a Cloud Development Environment concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • BGemini Code Assist in the IDE is incorrect because it does not align with the scenario requirements or GCP best practices.
   • CCloud Shell history search is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DThe gcloud feedback command is incorrect because it does not align with the scenario requirements or GCP best practices.
6. Question 6Bootstrapping a Cloud Development Environment

   A team wants per-pull-request ephemeral preview environments: each PR builds an image, deploys an isolated namespace to a shared GKE cluster, and the environment is automatically destroyed when the PR is merged or closed. Which design best meets this?

   • AA Cloud Build trigger on pull-request events that deploys a uniquely named, labeled namespace, paired with a trigger on PR close/merge that deletes that namespaceCorrect
   • BA single long-lived staging namespace that every PR deploys into sequentially
   • CManually creating a new GKE cluster for each PR and deleting it by hand after review
   • DDeploying every PR directly to the production namespace behind a feature flag
   ✓ Correct answer: A

   Question 338 tests key GCP Bootstrapping a Cloud Development Environment concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • BA single long-lived staging namespace that every PR deploys into sequentially is incorrect because it does not align with the scenario requirements or GCP best practices.
   • CManually creating a new GKE cluster for each PR and deleting it by hand after review is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DDeploying every PR directly to the production namespace behind a feature flag is incorrect because it does not align with the scenario requirements or GCP best practices.
7. Question 7Bootstrapping a Cloud Development Environment

   A CI/CD architecture review flags that the same container image rebuilt in staging is rebuilt again for production, risking subtle differences. The team wants to guarantee the exact artifact tested in staging is what runs in production. Which practice ensures this?

   • ABuild the image once, store it in Artifact Registry by immutable digest, and promote that same digest through staging and production without rebuildingCorrect
   • BRebuild from source in each environment but pin the same Git tag every time
   • CUse the 'latest' tag everywhere so all environments always pull the newest build
   • DRebuild in production with caching disabled to ensure a clean build
   ✓ Correct answer: A

   Question 361 tests key GCP Bootstrapping a Cloud Development Environment concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • BRebuild from source in each environment but pin the same Git tag every time is incorrect because it does not align with the scenario requirements or GCP best practices.
   • CUse the 'latest' tag everywhere so all environments always pull the newest build is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DRebuild in production with caching disabled to ensure a clean build is incorrect because it does not align with the scenario requirements or GCP best practices.
8. Question 8Building ApplicationsSelect all that apply

   A team wants build-time testing in their Cloud Build pipeline to catch defects before an image is published. Which TWO are appropriate build-time testing practices? (Choose TWO)

   • ARun unit tests as a dedicated build step and fail the build (non-zero exit) if any test fails so no image is pushedCorrect
   • BRun integration tests against ephemeral dependencies (for example, a containerized test database started within the build) before the push stepCorrect
   • CSkip all testing in CI and rely solely on canary traffic in production to detect failures
   • DRun tests only after the image is already deployed to production
   ✓ Correct answer: A, B

   Run integration tests against ephemeral dependencies (for example, a containerized test database started within the build) before the push step. Question 383 tests key GCP Building Applications concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • CSkip all testing in CI and rely solely on canary traffic in production to detect failures is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DRun tests only after the image is already deployed to production is incorrect because it does not align with the scenario requirements or GCP best practices.
9. Question 9Building Applications

   A Cloud Build step needs a third-party API token only while it runs the build, and the token must never be baked into the resulting container image. What is the recommended way to provide it?

   • AReference the secret from Secret Manager using the availableSecrets block and expose it as an environment variable only to the steps that need itCorrect
   • BAdd the token as a plaintext substitution variable in the trigger so it is visible in build history
   • CCOPY the token file into the image during the Docker build so it is always available
   • DHardcode the token in the Dockerfile as an ENV instruction
   ✓ Correct answer: A

   Question 406 tests key GCP Building Applications concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

   Why the other options are wrong

   • BAdd the token as a plaintext substitution variable in the trigger so it is visible in build history is incorrect because it does not align with the scenario requirements or GCP best practices.
   • CCOPY the token file into the image during the Docker build so it is always available is incorrect because it does not align with the scenario requirements or GCP best practices.
   • DHardcode the token in the Dockerfile as an ENV instruction is incorrect because it does not align with the scenario requirements or GCP best practices.
10. Question 10Building Applications

    During a build, your pipeline must clone a private dependency repository. The personal access token used for cloning keeps ending up in the build logs because it is passed on the command line. What is the cleanest fix that keeps it out of logs?

    • AStore the token in Secret Manager and expose it to only the clone step as a secretEnv via availableSecrets, referencing it through an environment variableCorrect
    • BEcho the token to the log first so you can confirm it is correct
    • CPass the token as a public substitution variable in the trigger
    • DEmbed the token in the Dockerfile with an ENV instruction
    ✓ Correct answer: A

    Question 428 tests key GCP Building Applications concepts. The correct answer(s) reflect best practices for this scenario in Google Cloud Platform.

    Why the other options are wrong

    • BEcho the token to the log first so you can confirm it is correct is incorrect because it does not align with the scenario requirements or GCP best practices.
    • CPass the token as a public substitution variable in the trigger is incorrect because it does not align with the scenario requirements or GCP best practices.
    • DEmbed the token in the Dockerfile with an ENV instruction is incorrect because it does not align with the scenario requirements or GCP best practices.

Google Cloud Professional Cloud DevOps Engineer practice exam FAQ