ACE Flashcards — Free Google Associate Cloud Engineer Study Cards

Organization → Folder → Project → Resources

Google Cloud organizes resources in a strict hierarchy: Organization → Folders → Projects → Resources. Policies set at higher levels are inherited by all resources below them. This design allows centralized governance while delegating control at lower levels.

Coldline

Coldline storage is designed for data accessed fewer than once every 90 days, with a lower storage price than Standard or Nearline. Archive is cheaper but imposes a 365-day minimum storage duration and high retrieval cost — for quarterly access, Coldline is the better cost fit.

gcloud compute instances create web-01 --zone=us-central1-a --machine-type=e2-medium

The correct command structure is `gcloud compute instances create [NAME] --zone=[ZONE] --machine-type=[TYPE]`. The `--machine` shorthand and `--size` flag don't exist. `gcloud vm` is not a valid subcommand group.

An alerting policy with a CPU utilization threshold condition

Alerting policies in Cloud Monitoring define threshold conditions on metrics (e.g., CPU utilization > 80% for 5 minutes) and attach notification channels (email, SMS, PagerDuty). Dashboards only visualize data; uptime checks verify endpoint availability; log-based metrics require log entries, not metric data.

Viewer

The Viewer role grants read access to all project resources without any ability to create, modify, or delete them. Editor includes write permissions. Owner adds billing and IAM management. Browser only provides access to view the project's folder structure — not resource data.

Organization → Folder → Project → Resources

Google Cloud organizes resources in a strict hierarchy: Organization → Folders → Projects → Resources. Policies set at higher levels are inherited by all resources below them. This design allows centralized governance while delegating control at lower levels.

Coldline

Coldline storage is designed for data accessed fewer than once every 90 days, with a lower storage price than Standard or Nearline. Archive is cheaper but imposes a 365-day minimum storage duration and high retrieval cost — for quarterly access, Coldline is the better cost fit.

gcloud compute instances create web-01 --zone=us-central1-a --machine-type=e2-medium

The correct command structure is `gcloud compute instances create [NAME] --zone=[ZONE] --machine-type=[TYPE]`. The `--machine` shorthand and `--size` flag don't exist. `gcloud vm` is not a valid subcommand group.

An alerting policy with a CPU utilization threshold condition

Alerting policies in Cloud Monitoring define threshold conditions on metrics (e.g., CPU utilization > 80% for 5 minutes) and attach notification channels (email, SMS, PagerDuty). Dashboards only visualize data; uptime checks verify endpoint availability; log-based metrics require log entries, not metric data.

Viewer

The Viewer role grants read access to all project resources without any ability to create, modify, or delete them. Editor includes write permissions. Owner adds billing and IAM management. Browser only provides access to view the project's folder structure — not resource data.

A billing account

A billing account must be associated with a project before paid GCP services can be provisioned. Without a linked billing account, resource creation is blocked for paid services. An Organization node and Cloud Identity domain are optional for individual or startup use.

Cloud Run

Cloud Run is a fully managed serverless platform for containerized HTTP services. It scales to zero when there are no requests, charges only for actual request processing, and requires no infrastructure management. GKE Autopilot manages node provisioning but still requires a cluster with minimum costs. App Engine Standard also scales to zero but is less flexible for arbitrary containers.

kubectl apply -f api-deployment.yaml

`kubectl apply -f` is idempotent — it creates the resource if absent and updates it if present. `kubectl create -f` only creates and errors if the resource already exists. `kubectl deploy` is not a valid kubectl command.

Ops Agent (Google Cloud's combined logging and monitoring agent)

The Ops Agent (which replaced the legacy Cloud Logging and Cloud Monitoring agents) must be installed on Compute Engine VMs to collect application and system logs and forward them to Cloud Logging. Without it, logs remain local and invisible to Cloud Logging.

Remove the key files and use service account impersonation or Workload Identity for workloads that need GCP access

Long-lived service account key files are one of the highest-risk authentication methods in GCP. The preferred approach is to eliminate keys entirely — use Workload Identity for GKE/Cloud Run, attach service accounts directly to GCE VMs, or use Workload Identity Federation for external workloads. Rotating keys or moving them to Secret Manager reduces distribution risk but doesn't eliminate the key's existence.

gcloud auth login

The `gcloud auth login` command opens a browser to prompt for Google account credentials and stores an access token locally. This is distinct from `gcloud init`, which also configures default project/region settings as part of a broader setup workflow.

Spot VM

Spot VMs (formerly Preemptible VMs) offer discounts of up to 91% compared to standard VMs. They can be preempted with a 30-second notice, making them ideal for fault-tolerant workloads that checkpoint progress. Custom machine types optimize resource fit but don't inherently reduce cost as dramatically.

gcloud run deploy api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --allow-unauthenticated

The Cloud Run deploy command syntax is `gcloud run deploy [SERVICE] --image=[IMAGE] --region=[REGION]`. `--allow-unauthenticated` enables public (unauthenticated) access. `--zone` is a Compute Engine concept, not Cloud Run. `--no-auth` and `--public` are not valid flags.

severity >= "ERROR"

In Cloud Logging's query language, `severity >= "ERROR"` matches all entries at ERROR, CRITICAL, ALERT, and EMERGENCY levels. Quotation marks around the severity value are required. The time range is typically set via the console's time picker or `timestamp` filters.

An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic

GCP VPCs have an implied deny-all ingress rule at priority 65535. Adding a single ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' network tag is sufficient — the existing implied deny handles all other traffic. No explicit deny rule is needed.

Enable the Cloud SQL Admin API via APIs & Services > Library in the Console

Most GCP services require their corresponding API to be explicitly enabled per project. The Cloud SQL Admin API must be enabled before any Cloud SQL resources can be created. API enablement is separate from IAM permissions — having the right role is necessary but not sufficient if the API is disabled.

Cloud Firestore

Cloud Firestore is a NoSQL document database that supports flexible, schemaless documents with nested structures. It's well-suited for mobile and web app backends where data models evolve rapidly. Cloud SQL and Spanner are relational databases requiring predefined schemas. Bigtable is a wide-column store optimized for analytics workloads.

gcloud container clusters create prod-cluster --region=us-central1 --num-nodes=3 --enable-autoscaling --min-nodes=3 --max-nodes=10

The correct command is `gcloud container clusters create` with `--enable-autoscaling`, `--min-nodes`, and `--max-nodes`. `kubectl` creates resources within a cluster — it cannot create the cluster itself. `gcloud kubernetes` is not a valid command group.