Practice PCDOE Bootstrapping a Google Cloud organization for DevOps questions with full explanations on every answer.
Start practicing
Bootstrapping a Google Cloud organization for DevOps — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is setting up a new Google Cloud organization for DevOps. They want to enforce that all projects have a specific set of VPC Service Controls perimeters. Which approach should they use to ensure these perimeters are automatically applied to all new projects?
2You are bootstrapping a Google Cloud organization for a DevOps team. You need to set up a shared VPC host project that will be used by multiple service projects. What is the minimal set of roles required for the DevOps team to create and manage service projects in the host project?
3During the bootstrapping of a Google Cloud organization, the DevOps team wants to implement a policy that prevents the deletion of certain resources, such as Cloud Storage buckets or Cloud SQL instances, unless a specific approval process is followed. Which approach best achieves this goal?
4A DevOps team is bootstrapping a new organization. They want to ensure that all projects created within the organization have a specific set of APIs enabled, such as Compute Engine, Cloud Storage, and Cloud Resource Manager. What is the most efficient way to achieve this?
5You are bootstrapping a Google Cloud organization. You need to set up a hierarchical structure that allows you to apply policies to groups of projects based on their environment (e.g., development, staging, production). What is the recommended way to organize resources?
6A company is bootstrapping their Google Cloud organization for DevOps. They want to implement a least-privilege model for service accounts used by CI/CD pipelines. The pipelines need to deploy resources in multiple projects. What is the best practice for managing service account keys?
7During the bootstrapping of a Google Cloud organization, you need to ensure that all resources in a specific folder are subject to a particular VPC Service Controls perimeter. Which step is necessary to achieve this?
8A DevOps team is setting up a Google Cloud organization. They want to centralize logging and monitoring across all projects. What is the recommended approach?
9Which TWO options are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose 2)
10Which THREE actions should be taken to ensure compliance with the principle of least privilege when bootstrapping a Google Cloud organization? (Choose 3)
11Which TWO are benefits of using a shared VPC in a Google Cloud organization? (Choose 2)
12Your organization is bootstrapping a new Google Cloud environment for a DevOps team. The team consists of 15 engineers who will be working on multiple microservices deployed across several projects. You have created a folder called 'devops' under the organization node. Within this folder, you plan to create three projects: 'devops-dev', 'devops-staging', and 'devops-prod'. You want to enforce that all resources in these projects are created in a specific region (us-central1) and that no external IP addresses can be assigned to Compute Engine instances. Additionally, you want to ensure that all service accounts used by the applications have minimal permissions. After setting up the organization policies, you notice that a developer was able to create a Compute Engine instance with an external IP in the 'devops-dev' project. You check the organization policy constraints and find that the constraint 'compute.vmExternalIpAccess' is set to 'Deny' at the organization level, but the developer bypassed it. What is the most likely reason?
13You are a DevOps engineer tasked with bootstrapping a Google Cloud organization for a company that develops a SaaS product. The company has three teams: Platform, Application, and Data. Each team needs to manage their own projects, but the network should be centrally managed. You decide to use a shared VPC. You create a host project 'shared-vpc-host' and attach three service projects: 'platform-service', 'app-service', and 'data-service'. You grant the Network Admin role to the Platform team for the host project. The Application team needs to deploy Compute Engine instances in their service project, but they should not be able to modify network resources. You grant them the Compute Instance Admin role at the service project level. However, the Application team reports that they cannot create instances because they don't have permission to use the subnets in the shared VPC. What is the most likely missing step?
14Your organization requires that all new Google Cloud projects are automatically configured with a common set of VPC networks and subnets, and that these networks must be created before any resources are deployed. What is the best approach to enforce this requirement across the organization?
15An organization is bootstrapping its Google Cloud environment and needs to establish a secure CI/CD pipeline that deploys infrastructure using Terraform. The pipeline must run in a dedicated project, and Terraform state must be stored in a Cloud Storage bucket. What is the most secure way to grant the CI/CD service account the minimal permissions required to manage the state bucket?
16A DevOps team is setting up a new Google Cloud organization. They want to enforce that all projects have a specific set of labels, and that Cloud Logging is enabled. They have written a custom Organization Policy constraint to enforce the labels. However, they are unsure how to enforce Cloud Logging. Which of the following approaches should they use?
17During the bootstrapping of a Google Cloud organization, you need to create a shared CI/CD pipeline that can deploy resources to multiple projects. The pipeline must use a service account with minimal permissions. What is the recommended way to grant the pipeline service account permissions to deploy resources across projects?
18Your organization has multiple teams that need to deploy infrastructure using Terraform. You want to enforce that all Terraform state files are stored in a central Cloud Storage bucket with versioning enabled. You also need to ensure that only the CI/CD pipeline can write to the bucket. What is the best way to enforce this?
19Which TWO are best practices for bootstrapping a Google Cloud organization for DevOps?
20Which THREE are key considerations when setting up a Google Cloud organization for DevOps?
21Your organization is adopting DevOps practices and needs to bootstrap a Google Cloud organization with multiple projects. You want to enforce consistent resource naming conventions and apply common organization policies across all projects. Which two services should you use together to achieve this?
22A company is bootstrapping a Google Cloud organization for DevOps. They have multiple teams that need to deploy infrastructure using a shared CI/CD pipeline. The security team requires that all deployments be reviewed and approved before production rollout. However, they also want to maintain a fast feedback loop for developers. What is the best way to balance these requirements?
23Which TWO statements about bootstrapping a Google Cloud organization for DevOps are correct?
24Your company is bootstrapping a Google Cloud organization for DevOps. The organization consists of three folders: Dev, Staging, and Prod. Each folder contains multiple projects for different microservices. You have been tasked with setting up a centralized CI/CD pipeline using Cloud Build and Cloud Deploy. The pipeline must deploy to multiple environments in sequence: Dev → Staging → Prod. Each environment requires approval from a different approver group. You have set up Cloud Deploy delivery pipelines with targets pointing to each environment. However, during testing, you notice that after a successful deployment to Dev, the pipeline automatically proceeds to Staging without waiting for approval. What is the most likely cause and solution?
25A startup wants to implement infrastructure as code for their Google Cloud environment to ensure reproducibility. They are using Terraform and want to manage state securely. What is the recommended approach?
26An organization is setting up a new Google Cloud organization and wants to enforce consistent resource naming conventions and policies across all projects. Which service should they use?
27A DevOps team wants to automate the deployment of a microservice application to Google Kubernetes Engine (GKE) using Cloud Build. They have a Cloud Build configuration file that builds a container image and deploys it to GKE. However, the deployment step fails with an authorization error. What is the most likely cause?
28Arrange the steps to set up a Google Cloud Monitoring alerting policy for a Compute Engine instance.
29Order the steps to set up a CI/CD pipeline using Cloud Build and Cloud Deploy for a Cloud Run service.
30Order the steps to set up a log-based metric in Cloud Logging for error tracking.
31Match each Google Cloud service to its primary purpose.
32Match each Cloud Monitoring metric type to its description.
33Match each Kubernetes resource to its role in a DevOps pipeline.
34A DevOps team is bootstrapping a new Google Cloud organization. They want to grant a group of engineers the ability to create and manage projects within the organization, but not to modify organization policies or folders. Which IAM role should be assigned at the organization level?
35A company is bootstrapping a Google Cloud organization. They have created a Shared VPC host project. They want to allow a service project's default compute service account to launch instances that use the Shared VPC's subnets. Which IAM role should be granted to that service account at the host project level?
36A DevOps team is bootstrapping a Google Cloud organization. They have created a folder for a business unit and want to prevent users from moving projects out of that folder to other folders. Which organization policy constraint should they apply?
37A DevOps team is setting up a CI/CD pipeline using Cloud Build. They want the Cloud Build service account to have permission to deploy to Cloud Run within a specific project. Which IAM role should be granted to the Cloud Build service account?
38A company is bootstrapping their Google Cloud organization with multiple departments. Each department has several projects. They want to apply different IAM policies and organization policies per department. What is the recommended way to structure the resource hierarchy?
39A DevOps engineer is troubleshooting a Cloud Build failure. The build log shows the error: 'Permission denied for resource projects/my-project/locations/us-central1/repositories/my-repo'. The Cloud Build service account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com) is used. What is the most likely missing role?
40A DevOps team wants to ensure that all audit logs from projects across the organization are sent to a central project for analysis. Which approach should they use?
41A DevOps team is bootstrapping CI/CD pipelines that need access to API keys stored in Secret Manager. The pipelines run on Cloud Build. What is the best practice for granting access to secrets?
42A company uses a Shared VPC and wants to enforce a set of firewall rules across all projects in a folder. They want these rules to be immutable by project owners. Which approach should they use?
43A DevOps team is bootstrapping a Google Cloud organization. They need to ensure that all projects have a consistent set of labels applied automatically. Which two approaches can they use? (Choose TWO.)
44A DevOps team is designing a CI/CD pipeline using Cloud Build and Spinnaker. They want to ensure secrets are managed securely. Which three recommended practices should they implement? (Choose THREE.)
45A company is bootstrapping a Google Cloud organization with multiple projects. They want to enable consistent security and compliance across all projects. Which two organization policies should they consider? (Choose TWO.)
46Refer to the exhibit. The DevOps team is trying to create a new service account key. The operation fails with a permission error. What is the most likely cause?
47Refer to the exhibit. The Cloud Build fails with a permission error. The Cloud Build service account has roles/cloudbuild.builds.builder and roles/cloudfunctions.developer on the project. What is the missing permission?
48Refer to the exhibit. A DevOps engineer is trying to create a new project using the Cloud Console. The project creation fails with a policy violation. The engineer has permissions on folders/12345678 and folders/87654321 but not on any other folders. They select folder/87654321 as the parent. What is the most likely reason for the failure?
49A company is setting up a new Google Cloud organization. They want to ensure that all projects inherit common IAM policies. What is the best practice?
50A company uses Cloud Build for CI/CD. They want to allow Cloud Build to deploy to Cloud Run. What is the minimum IAM role to assign to the Cloud Build service account?
51A company wants to enforce that all projects in the organization have a specific VPC Service Controls perimeter. What is the most efficient way to achieve this?
52Which tool is recommended for managing the initial setup of a Google Cloud organization, including creating folders, projects, and IAM policies in an automated and repeatable manner?
53A DevOps engineer is setting up a Cloud Build trigger that deploys to Cloud Run. The build succeeds but the deployment fails with 'Permission denied on the Cloud Run service'. What is the most likely cause?
54A company is bootstrapping their organization using Terraform and wants to store the Terraform state file in a Cloud Storage bucket with versioning enabled. Which of the following is the best practice for securing the state file?
55A DevOps engineer needs to assign IAM roles at the organization level. Which built-in role is specifically designed for managing IAM policies across the organization?
56A company uses Cloud Build to deploy applications and wants to ensure that builds from forked repositories cannot access sensitive environment variables. What is the best practice?
57A company wants to enforce that all service accounts are created with a specific naming convention (e.g., prefix 'sa-'). What is the most efficient way to enforce this?
58Which TWO are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose two.)
59Which THREE are valid methods to enforce resource location restrictions in a Google Cloud organization? (Choose three.)
60Which THREE are required steps when setting up a CI/CD pipeline with Cloud Build for the first time? (Choose three.)
61A startup is bootstrapping a Google Cloud organization for DevOps. They need to create a project for their CI/CD tooling and a separate project for logging and monitoring. What is the recommended way to structure the resource hierarchy?
62A DevOps engineer is setting up a Cloud Build trigger that builds a container image and deploys it to Cloud Run. The build fails with a permission error when trying to access resources in a different project. The engineer has created a service account in the project where Cloud Build runs and granted it roles/run.admin and roles/storage.objectViewer on the target project. What is the most likely cause of the failure?
63A large enterprise is migrating to Google Cloud and wants to bootstrap their organization for DevOps. They have multiple business units, each needing their own folder with projects. Security requires that all projects in the 'prod' folder must have a specific set of organization policies enforced, such as restricting service account key creation. They also want to allow individual teams to create project-level policies as long as they don't conflict with the organization policies. Which approach ensures this while minimizing administrative overhead?
64A DevOps team is bootstrapping their Google Cloud organization and wants to enable Infrastructure as Code (IaC) using Terraform. They need a service account that Terraform can use to create and manage resources across multiple projects. What is the best practice for creating and managing this service account?
65During bootstrapping, a DevOps engineer wants to ensure that all new projects automatically have a set of APIs enabled, such as Cloud Resource Manager API and Cloud Billing API. They also want to enforce that certain APIs cannot be disabled accidentally. What is the most efficient way to achieve this?
66An organization is bootstrapping their Google Cloud environment and wants to implement a shared VPC for DevOps workloads. The network team manages the host project, while DevOps teams have service projects. They need to ensure that DevOps teams can create resources in their service projects that use the shared VPC, but they cannot change the host project's network configuration. Which IAM roles should be granted to the DevOps team's service account on the host project?
67A company is bootstrapping a Google Cloud organization for the first time. They want to set up Cloud Identity to manage users and groups. What is the correct order of steps?
68During bootstrapping, a DevOps lead wants to ensure that all projects in the 'dev' folder have a consistent set of VPC firewall rules and network policies. They are considering using a shared VPC or VPC Network Peering. Which approach provides the most control and consistency for DevOps teams while minimizing administrative overhead?
69A multinational corporation is bootstrapping a Google Cloud organization with multiple subsidiaries. Each subsidiary needs its own folder with IAM policies that are managed locally, but the parent company wants to enforce a global policy that restricts the use of certain machine types (e.g., N2D) for cost control. However, one subsidiary has a legitimate need for those machine types in a specific project. What is the best way to handle this exception while maintaining the global policy?
70Which TWO of the following are best practices when bootstrapping a Google Cloud organization for DevOps?
71Which TWO of the following are required steps to set up a shared VPC for DevOps teams?
72Which THREE of the following are valid considerations when using organization policies to enforce compliance in a DevOps environment?
73A company is bootstrapping a new Google Cloud organization for DevOps. They want to separate development, staging, and production environments using folders. Which folder structure follows Google-recommended best practices?
74A DevOps engineer is trying to create a service account key for a CI/CD pipeline, but receives the error: 'Constraint constraints/iam.disableServiceAccountKeyCreation violated'. What is the most likely cause and solution?
75A large enterprise is designing a centralized DevOps platform across multiple business units. They want to use a shared CI/CD pipeline that deploys to projects in different folders. Which approach ensures secure, auditable deployments while minimizing IAM administration?
76To securely manage secrets (e.g., API keys) used in Cloud Build pipelines, which service should be used?
77A Cloud Build pipeline fails with 'Permission denied' when trying to pull a Docker image from Artifact Registry in the same project. The Cloud Build service account has the Artifact Registry Reader role. What additional configuration is likely missing?
78When bootstrapping a new Google Cloud organization for DevOps, which set of initial IAM roles should be assigned to the DevOps team to enable them to create and manage projects, folders, and billing accounts?
79Which Google Cloud service provides a fully managed, private Git repository that integrates with Cloud Build for continuous integration?
80A DevOps engineer notices that a Cloud Build trigger is not firing when commits are pushed to a Cloud Source Repositories repository. The trigger is configured with an invert regex for the branch filter. What could be the issue?
81An organization has a strict compliance requirement that all CI/CD pipelines must use customer-managed encryption keys (CMEK) for any artifacts stored in Cloud Storage. How can this be enforced at the organization level?
82Which TWO Organization Policy constraints are commonly used to enhance security in a DevOps environment?
83When bootstrapping a Google Cloud organization for DevOps, which THREE steps are essential to set up a secure CI/CD foundation using Cloud Build?
84A Cloud Build pipeline that deploys a container to Cloud Run fails with the error: `Missing required permission run.routes.invoke`. The Cloud Build service account has the 'Cloud Run Invoker' role. Which TWO additional steps should be taken?
85Refer to the exhibit. The output shows three folders created directly under the organization node. Which gcloud command was most likely executed to produce this output?
86Refer to the exhibit. A Cloud Build pipeline using this configuration fails on the third step with a permission error. The Cloud Build service account has the 'Cloud Run Admin' role. What is the most likely missing permission?
87Refer to the exhibit. A DevOps engineer assigned this custom role to a service account used in Cloud Build. The pipeline fails when trying to access a secret stored in Secret Manager. Which permission is missing?
88A company is setting up a new Google Cloud organization. They want to apply a consistent set of IAM roles to all projects within a specific department. What is the most efficient method to achieve this?
89A DevOps engineer is bootstrapping a CI/CD pipeline using Cloud Build. They need to ensure that only specific service accounts can trigger builds on certain branches. What is the recommended approach?
90An organization has multiple projects under a common folder. They want to enforce that all projects use the same VPC network from a central host project. However, one project needs to use a different VPC due to compliance requirements. How can this be achieved?
91A startup wants to implement Infrastructure as Code (IaC) using Terraform for their Google Cloud environment. They need to manage state files securely. What is the best practice?
92A DevOps team is setting up a Google Cloud organization and wants to ensure that all billing alerts are centrally managed. What should they do?
93An organization has a policy that all projects must have Cloud Logging enabled and logs must be retained for at least 365 days. What is the most efficient way to enforce this across all projects?
94Which TWO are best practices when setting up a Google Cloud organization for multiple teams? (Select exactly 2)
95Which THREE actions should be taken when bootstrapping a CI/CD pipeline on Google Cloud? (Select exactly 3)
96Which TWO are valid methods to manage service account keys securely? (Select exactly 2)
97Refer to the exhibit. A DevOps engineer tries to create a project but gets this error. What is the most likely cause?
98Refer to the exhibit. A DevOps engineer applies this Terraform configuration but gets an error: "Error creating Project: googleapi: Error 403: The caller does not have permission to enable services". What is the most likely cause?
99Your company has recently migrated to Google Cloud and has set up an organization with three folders: Development, Staging, and Production. Each folder contains multiple projects. The DevOps team has established a centralized CI/CD pipeline using Cloud Build and Artifact Registry in a tools project under the Development folder. They want to ensure that only images built by the CI/CD pipeline are allowed to be deployed to the Production environment. They have configured Binary Authorization with a policy that requires attestations from the Cloud Build service account. However, a developer accidentally pushes a container image directly from their local machine to Artifact Registry using their personal IAM permissions, and then deploys that image to a Production project by bypassing the CI/CD pipeline. How can you prevent this from happening in the future?
100A company wants to ensure that all projects in the organization have Cloud Resource Manager API enabled. What is the most efficient method?
101A DevOps engineer needs to set up a centralized logging solution for multiple projects. They want to store logs in a BigQuery dataset for analysis. What is the best approach?
102An organization is using Cloud Source Repositories and wants to enforce that all commits are signed with a verified GPG key. How can they enforce this?
103A company is bootstrapping a new Google Cloud organization. They want to ensure that all projects are created under specific folders and that certain IAM roles are automatically granted to a group for new projects. What is the most efficient approach?
104A DevOps engineer notices that developers are accidentally deleting Cloud Storage buckets. The organization wants to prevent accidental deletion while still allowing developers to manage bucket objects. What is the best practice?
105A company uses Cloud Build and wants to trigger builds only from the master branch. Which configuration is required?
106An organization wants to enforce that all Compute Engine VMs use only specific machine families (e.g., N2, C2). Which mechanism should they use?
107A team is bootstrapping a new Google Cloud organization. Which TWO practices are recommended for managing project creation and resource hierarchy? (Choose two.)
108A DevOps engineer is designing a CI/CD pipeline using Cloud Build. Which TWO configurations are necessary to ensure secure and reliable deployments? (Choose two.)
109A company wants to implement a DevOps culture in their new Google Cloud organization. Which THREE practices align with Google's DevOps principles? (Choose three.)
110You are a DevOps engineer for a startup bootstrapping their Google Cloud organization. They have a single project for all environments (dev, test, prod) and a flat resource hierarchy. Recently, a developer accidentally deleted a production Cloud Storage bucket, causing data loss. The team wants to prevent this in the future with minimal disruption. They also want to enforce that all new projects follow a naming convention like 'company-environment-xxx'. The CTO wants a solution using native Google Cloud services without third-party tools. What should you do?
111A financial company is bootstrapping their Google Cloud organization for DevOps. They have strict compliance requirements: all projects must be under a folder hierarchy based on business units, and each project must have a Cloud Storage bucket with a retention policy of at least 1 year. They have 50 existing projects that need to be migrated into this hierarchy, and all future projects must comply. The team wants to automate as much as possible using Google Cloud services. Currently, projects are created manually with various ad-hoc permissions. What is the best approach to meet these requirements?
112A multinational corporation is bootstrapping their Google Cloud organization. They have multiple business units in different countries, each with its own compliance requirements (e.g., data residency, encryption keys). The organization structure must support: (1) each business unit as a separate folder with its own admin; (2) projects within each folder must have a label 'bu-<businessunit>'; (3) all resources must be created in regions allowed by the business unit; (4) audit logging must be centralized. They have 200 existing projects and 10,000 VMs. The team wants to use Google Cloud's native tools to enforce these policies without third-party software. What is the most effective first step?
113A small team is setting up a Google Cloud organization for their DevOps pipeline. They have zero existing projects. Their planned architecture uses Cloud Build for CI/CD, Cloud Source Repositories for code, and Artifact Registry for images. They want to ensure that developers can only deploy to the production environment after code review and approval. They also want to automatically trigger builds on commits to the main branch. Which of the following is the most efficient way to implement this?
114A DevOps team is migrating their infrastructure to Google Cloud. They have a complex environment with multiple VPC networks, shared services, and separate development and production projects. They want to bootstrap a new organization that supports: (1) centralized network management with shared VPC, (2) separate folders for dev and prod, (3) consistent firewall rules across all projects, (4) a single Cloud NAT for outbound traffic. They have an existing on-premises VPN that must connect to all projects. What is the most efficient approach?
115A large enterprise is bootstrapping a Google Cloud organization with strict security requirements. They need to: (1) enforce multi-factor authentication (MFA) for all users, (2) prevent any new project from using default VPCs, (3) require customer-managed encryption keys (CMEK) for all Cloud Storage buckets, (4) automatically revoke access for offboarded employees within 24 hours. They have an existing Active Directory and plan to use Google Cloud's Identity Platform for SSO. Which combination of Google Cloud services and policies should they implement?
116A startup is bootstrapping their Google Cloud organization with the following constraints: they have a small team of 10 developers, each with varying levels of expertise. They want a simple setup that allows developers to experiment in their own projects but prevents them from deleting production resources. They also want to enforce a budget limit on each project to avoid unexpected costs. The team has no prior Google Cloud experience and wants minimal operational overhead. Which of the following approaches best meets their needs?
117A government agency is bootstrapping a Google Cloud organization with strict compliance requirements. They must: (1) store all logs in a centralized project with retention of 7 years, (2) ensure no data leaves the United States, (3) use customer-managed encryption keys (CMEK) for all persistent disks and buckets, (4) automatically reject any resource creation outside allowed regions (us-central1 and us-east1). They have an existing on-premises SIEM that needs to receive logs via Pub/Sub. The network team wants to use Shared VPC. What is the correct order of steps to implement this?
118Refer to the exhibit. A DevOps engineer is bootstrapping a Google Cloud organization and wants to ensure that no Compute Engine VM instances can have external IP addresses. The engineer applies this Terraform configuration. What is the effect of this configuration on the organization?
119A company is bootstrapping a Google Cloud organization for DevOps. Which TWO practices should be implemented to ensure secure and efficient management of infrastructure as code (IaC) pipelines?
The Bootstrapping a Google Cloud organization for DevOps domain covers the key concepts tested in this area of the PCDOE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCDOE domains — no account required.
The Courseiva PCDOE question bank contains 119 questions in the Bootstrapping a Google Cloud organization for DevOps domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Bootstrapping a Google Cloud organization for DevOps domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included