Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Bootstrapping a Google Cloud organization for DevOps practice sets

PCDOE Bootstrapping a Google Cloud organization for DevOps • Complete Question Bank

PCDOE Bootstrapping a Google Cloud organization for DevOps — All Questions With Answers

Complete PCDOE Bootstrapping a Google Cloud organization for DevOps question bank — all 0 questions with answers and detailed explanations.

119
Questions
Free
No signup
Certifications/PCDOE/Practice Test/Bootstrapping a Google Cloud organization for DevOps/All Questions
Question 1mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is setting up a new Google Cloud organization for DevOps. They want to enforce that all projects have a specific set of VPC Service Controls perimeters. Which approach should they use to ensure these perimeters are automatically applied to all new projects?

Question 2easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

You are bootstrapping a Google Cloud organization for a DevOps team. You need to set up a shared VPC host project that will be used by multiple service projects. What is the minimal set of roles required for the DevOps team to create and manage service projects in the host project?

Question 3hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

During the bootstrapping of a Google Cloud organization, the DevOps team wants to implement a policy that prevents the deletion of certain resources, such as Cloud Storage buckets or Cloud SQL instances, unless a specific approval process is followed. Which approach best achieves this goal?

Question 4mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is bootstrapping a new organization. They want to ensure that all projects created within the organization have a specific set of APIs enabled, such as Compute Engine, Cloud Storage, and Cloud Resource Manager. What is the most efficient way to achieve this?

Question 5easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

You are bootstrapping a Google Cloud organization. You need to set up a hierarchical structure that allows you to apply policies to groups of projects based on their environment (e.g., development, staging, production). What is the recommended way to organize resources?

Question 6hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping their Google Cloud organization for DevOps. They want to implement a least-privilege model for service accounts used by CI/CD pipelines. The pipelines need to deploy resources in multiple projects. What is the best practice for managing service account keys?

Question 7mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

During the bootstrapping of a Google Cloud organization, you need to ensure that all resources in a specific folder are subject to a particular VPC Service Controls perimeter. Which step is necessary to achieve this?

Question 8easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is setting up a Google Cloud organization. They want to centralize logging and monitoring across all projects. What is the recommended approach?

Question 9mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO options are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose 2)

Question 10hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which THREE actions should be taken to ensure compliance with the principle of least privilege when bootstrapping a Google Cloud organization? (Choose 3)

Question 11easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO are benefits of using a shared VPC in a Google Cloud organization? (Choose 2)

Question 12hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Your organization is bootstrapping a new Google Cloud environment for a DevOps team. The team consists of 15 engineers who will be working on multiple microservices deployed across several projects. You have created a folder called 'devops' under the organization node. Within this folder, you plan to create three projects: 'devops-dev', 'devops-staging', and 'devops-prod'. You want to enforce that all resources in these projects are created in a specific region (us-central1) and that no external IP addresses can be assigned to Compute Engine instances. Additionally, you want to ensure that all service accounts used by the applications have minimal permissions. After setting up the organization policies, you notice that a developer was able to create a Compute Engine instance with an external IP in the 'devops-dev' project. You check the organization policy constraints and find that the constraint 'compute.vmExternalIpAccess' is set to 'Deny' at the organization level, but the developer bypassed it. What is the most likely reason?

Question 13mediummultiple choice
Review the full subnetting walkthrough →

You are a DevOps engineer tasked with bootstrapping a Google Cloud organization for a company that develops a SaaS product. The company has three teams: Platform, Application, and Data. Each team needs to manage their own projects, but the network should be centrally managed. You decide to use a shared VPC. You create a host project 'shared-vpc-host' and attach three service projects: 'platform-service', 'app-service', and 'data-service'. You grant the Network Admin role to the Platform team for the host project. The Application team needs to deploy Compute Engine instances in their service project, but they should not be able to modify network resources. You grant them the Compute Instance Admin role at the service project level. However, the Application team reports that they cannot create instances because they don't have permission to use the subnets in the shared VPC. What is the most likely missing step?

Question 14easymultiple choice
Review the full subnetting walkthrough →

Your organization requires that all new Google Cloud projects are automatically configured with a common set of VPC networks and subnets, and that these networks must be created before any resources are deployed. What is the best approach to enforce this requirement across the organization?

Question 15mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization is bootstrapping its Google Cloud environment and needs to establish a secure CI/CD pipeline that deploys infrastructure using Terraform. The pipeline must run in a dedicated project, and Terraform state must be stored in a Cloud Storage bucket. What is the most secure way to grant the CI/CD service account the minimal permissions required to manage the state bucket?

Question 16hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is setting up a new Google Cloud organization. They want to enforce that all projects have a specific set of labels, and that Cloud Logging is enabled. They have written a custom Organization Policy constraint to enforce the labels. However, they are unsure how to enforce Cloud Logging. Which of the following approaches should they use?

Question 17easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

During the bootstrapping of a Google Cloud organization, you need to create a shared CI/CD pipeline that can deploy resources to multiple projects. The pipeline must use a service account with minimal permissions. What is the recommended way to grant the pipeline service account permissions to deploy resources across projects?

Question 18mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Your organization has multiple teams that need to deploy infrastructure using Terraform. You want to enforce that all Terraform state files are stored in a central Cloud Storage bucket with versioning enabled. You also need to ensure that only the CI/CD pipeline can write to the bucket. What is the best way to enforce this?

Question 19easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO are best practices for bootstrapping a Google Cloud organization for DevOps?

Question 20hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which THREE are key considerations when setting up a Google Cloud organization for DevOps?

Question 21mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Your organization is adopting DevOps practices and needs to bootstrap a Google Cloud organization with multiple projects. You want to enforce consistent resource naming conventions and apply common organization policies across all projects. Which two services should you use together to achieve this?

Question 22hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping a Google Cloud organization for DevOps. They have multiple teams that need to deploy infrastructure using a shared CI/CD pipeline. The security team requires that all deployments be reviewed and approved before production rollout. However, they also want to maintain a fast feedback loop for developers. What is the best way to balance these requirements?

Question 23easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO statements about bootstrapping a Google Cloud organization for DevOps are correct?

Question 24hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Your company is bootstrapping a Google Cloud organization for DevOps. The organization consists of three folders: Dev, Staging, and Prod. Each folder contains multiple projects for different microservices. You have been tasked with setting up a centralized CI/CD pipeline using Cloud Build and Cloud Deploy. The pipeline must deploy to multiple environments in sequence: Dev → Staging → Prod. Each environment requires approval from a different approver group. You have set up Cloud Deploy delivery pipelines with targets pointing to each environment. However, during testing, you notice that after a successful deployment to Dev, the pipeline automatically proceeds to Staging without waiting for approval. What is the most likely cause and solution?

Question 25easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A startup wants to implement infrastructure as code for their Google Cloud environment to ensure reproducibility. They are using Terraform and want to manage state securely. What is the recommended approach?

Question 26easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization is setting up a new Google Cloud organization and wants to enforce consistent resource naming conventions and policies across all projects. Which service should they use?

Question 27mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team wants to automate the deployment of a microservice application to Google Kubernetes Engine (GKE) using Cloud Build. They have a Cloud Build configuration file that builds a container image and deploys it to GKE. However, the deployment step fails with an authorization error. What is the most likely cause?

Question 28mediumdrag order
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Arrange the steps to set up a Google Cloud Monitoring alerting policy for a Compute Engine instance.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediumdrag order
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Order the steps to set up a CI/CD pipeline using Cloud Build and Cloud Deploy for a Cloud Run service.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediumdrag order
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Order the steps to set up a log-based metric in Cloud Logging for error tracking.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Match each Google Cloud service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

CI/CD pipeline

Metrics and alerting

Log management and analysis

Application error aggregation

Real-time code inspection

Question 32mediummatching
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Match each Cloud Monitoring metric type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cumulative value that only increases

Instantaneous measurement at a point in time

Statistical summary of values over time

Change in a counter over a time interval

Running total from start of observation

Question 33mediummatching
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Match each Kubernetes resource to its role in a DevOps pipeline.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages desired state for Pods

Stable network endpoint for Pods

External HTTP/S load balancing

Non-sensitive configuration data

Sensitive data like passwords

Question 34easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is bootstrapping a new Google Cloud organization. They want to grant a group of engineers the ability to create and manage projects within the organization, but not to modify organization policies or folders. Which IAM role should be assigned at the organization level?

Question 35mediummultiple choice
Review the full subnetting walkthrough →

A company is bootstrapping a Google Cloud organization. They have created a Shared VPC host project. They want to allow a service project's default compute service account to launch instances that use the Shared VPC's subnets. Which IAM role should be granted to that service account at the host project level?

Question 36hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is bootstrapping a Google Cloud organization. They have created a folder for a business unit and want to prevent users from moving projects out of that folder to other folders. Which organization policy constraint should they apply?

Question 37easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is setting up a CI/CD pipeline using Cloud Build. They want the Cloud Build service account to have permission to deploy to Cloud Run within a specific project. Which IAM role should be granted to the Cloud Build service account?

Question 38mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping their Google Cloud organization with multiple departments. Each department has several projects. They want to apply different IAM policies and organization policies per department. What is the recommended way to structure the resource hierarchy?

Question 39hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer is troubleshooting a Cloud Build failure. The build log shows the error: 'Permission denied for resource projects/my-project/locations/us-central1/repositories/my-repo'. The Cloud Build service account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com) is used. What is the most likely missing role?

Question 40easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team wants to ensure that all audit logs from projects across the organization are sent to a central project for analysis. Which approach should they use?

Question 41mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is bootstrapping CI/CD pipelines that need access to API keys stored in Secret Manager. The pipelines run on Cloud Build. What is the best practice for granting access to secrets?

Question 42hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company uses a Shared VPC and wants to enforce a set of firewall rules across all projects in a folder. They want these rules to be immutable by project owners. Which approach should they use?

Question 43mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is bootstrapping a Google Cloud organization. They need to ensure that all projects have a consistent set of labels applied automatically. Which two approaches can they use? (Choose TWO.)

Question 44hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is designing a CI/CD pipeline using Cloud Build and Spinnaker. They want to ensure secrets are managed securely. Which three recommended practices should they implement? (Choose THREE.)

Question 45easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping a Google Cloud organization with multiple projects. They want to enable consistent security and compliance across all projects. Which two organization policies should they consider? (Choose TWO.)

Question 46easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. The DevOps team is trying to create a new service account key. The operation fails with a permission error. What is the most likely cause?

Network Topology
gcloud resource-manager org-policies listorganization=123456789012CONSTRAINT: constraints/iam.disableServiceAccountKeyUploadLIST_POLICY: trueUPDATE_TIME: 2023-01-15T10:00:00Z
Question 47mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. The Cloud Build fails with a permission error. The Cloud Build service account has roles/cloudbuild.builds.builder and roles/cloudfunctions.developer on the project. What is the missing permission?

Exhibit

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  entrypoint: 'bash'
  args:
    - '-c'
    - |
      gcloud functions deploy my-function \
        --runtime nodejs18 \
        --trigger-http \
        --allow-unauthenticated
Question 48hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. A DevOps engineer is trying to create a new project using the Cloud Console. The project creation fails with a policy violation. The engineer has permissions on folders/12345678 and folders/87654321 but not on any other folders. They select folder/87654321 as the parent. What is the most likely reason for the failure?

Exhibit

{
  "name": "projects/my-project/policies/constraints/resourcemanager.allowedProjectParent",
  "spec": {
    "rules": [
      {
        "values": {
          "allowedValues": [
            "folders/12345678"
          ]
        }
      }
    ]
  }
}
Question 49easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is setting up a new Google Cloud organization. They want to ensure that all projects inherit common IAM policies. What is the best practice?

Question 50mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company uses Cloud Build for CI/CD. They want to allow Cloud Build to deploy to Cloud Run. What is the minimum IAM role to assign to the Cloud Build service account?

Question 51hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company wants to enforce that all projects in the organization have a specific VPC Service Controls perimeter. What is the most efficient way to achieve this?

Question 52easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which tool is recommended for managing the initial setup of a Google Cloud organization, including creating folders, projects, and IAM policies in an automated and repeatable manner?

Question 53mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer is setting up a Cloud Build trigger that deploys to Cloud Run. The build succeeds but the deployment fails with 'Permission denied on the Cloud Run service'. What is the most likely cause?

Question 54hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping their organization using Terraform and wants to store the Terraform state file in a Cloud Storage bucket with versioning enabled. Which of the following is the best practice for securing the state file?

Question 55easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer needs to assign IAM roles at the organization level. Which built-in role is specifically designed for managing IAM policies across the organization?

Question 56mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company uses Cloud Build to deploy applications and wants to ensure that builds from forked repositories cannot access sensitive environment variables. What is the best practice?

Question 57hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company wants to enforce that all service accounts are created with a specific naming convention (e.g., prefix 'sa-'). What is the most efficient way to enforce this?

Question 58mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose two.)

Question 59hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which THREE are valid methods to enforce resource location restrictions in a Google Cloud organization? (Choose three.)

Question 60easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which THREE are required steps when setting up a CI/CD pipeline with Cloud Build for the first time? (Choose three.)

Question 61easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A startup is bootstrapping a Google Cloud organization for DevOps. They need to create a project for their CI/CD tooling and a separate project for logging and monitoring. What is the recommended way to structure the resource hierarchy?

Question 62mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer is setting up a Cloud Build trigger that builds a container image and deploys it to Cloud Run. The build fails with a permission error when trying to access resources in a different project. The engineer has created a service account in the project where Cloud Build runs and granted it roles/run.admin and roles/storage.objectViewer on the target project. What is the most likely cause of the failure?

Question 63hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A large enterprise is migrating to Google Cloud and wants to bootstrap their organization for DevOps. They have multiple business units, each needing their own folder with projects. Security requires that all projects in the 'prod' folder must have a specific set of organization policies enforced, such as restricting service account key creation. They also want to allow individual teams to create project-level policies as long as they don't conflict with the organization policies. Which approach ensures this while minimizing administrative overhead?

Question 64easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is bootstrapping their Google Cloud organization and wants to enable Infrastructure as Code (IaC) using Terraform. They need a service account that Terraform can use to create and manage resources across multiple projects. What is the best practice for creating and managing this service account?

Question 65mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

During bootstrapping, a DevOps engineer wants to ensure that all new projects automatically have a set of APIs enabled, such as Cloud Resource Manager API and Cloud Billing API. They also want to enforce that certain APIs cannot be disabled accidentally. What is the most efficient way to achieve this?

Question 66hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization is bootstrapping their Google Cloud environment and wants to implement a shared VPC for DevOps workloads. The network team manages the host project, while DevOps teams have service projects. They need to ensure that DevOps teams can create resources in their service projects that use the shared VPC, but they cannot change the host project's network configuration. Which IAM roles should be granted to the DevOps team's service account on the host project?

Question 67easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping a Google Cloud organization for the first time. They want to set up Cloud Identity to manage users and groups. What is the correct order of steps?

Question 68mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

During bootstrapping, a DevOps lead wants to ensure that all projects in the 'dev' folder have a consistent set of VPC firewall rules and network policies. They are considering using a shared VPC or VPC Network Peering. Which approach provides the most control and consistency for DevOps teams while minimizing administrative overhead?

Question 69hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is bootstrapping a Google Cloud organization with multiple subsidiaries. Each subsidiary needs its own folder with IAM policies that are managed locally, but the parent company wants to enforce a global policy that restricts the use of certain machine types (e.g., N2D) for cost control. However, one subsidiary has a legitimate need for those machine types in a specific project. What is the best way to handle this exception while maintaining the global policy?

Question 70easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO of the following are best practices when bootstrapping a Google Cloud organization for DevOps?

Question 71mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO of the following are required steps to set up a shared VPC for DevOps teams?

Question 72hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which THREE of the following are valid considerations when using organization policies to enforce compliance in a DevOps environment?

Question 73easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping a new Google Cloud organization for DevOps. They want to separate development, staging, and production environments using folders. Which folder structure follows Google-recommended best practices?

Question 74mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer is trying to create a service account key for a CI/CD pipeline, but receives the error: 'Constraint constraints/iam.disableServiceAccountKeyCreation violated'. What is the most likely cause and solution?

Question 75hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A large enterprise is designing a centralized DevOps platform across multiple business units. They want to use a shared CI/CD pipeline that deploys to projects in different folders. Which approach ensures secure, auditable deployments while minimizing IAM administration?

Question 76easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

To securely manage secrets (e.g., API keys) used in Cloud Build pipelines, which service should be used?

Question 77mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A Cloud Build pipeline fails with 'Permission denied' when trying to pull a Docker image from Artifact Registry in the same project. The Cloud Build service account has the Artifact Registry Reader role. What additional configuration is likely missing?

Question 78hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

When bootstrapping a new Google Cloud organization for DevOps, which set of initial IAM roles should be assigned to the DevOps team to enable them to create and manage projects, folders, and billing accounts?

Question 79easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which Google Cloud service provides a fully managed, private Git repository that integrates with Cloud Build for continuous integration?

Question 80mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer notices that a Cloud Build trigger is not firing when commits are pushed to a Cloud Source Repositories repository. The trigger is configured with an invert regex for the branch filter. What could be the issue?

Question 81hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization has a strict compliance requirement that all CI/CD pipelines must use customer-managed encryption keys (CMEK) for any artifacts stored in Cloud Storage. How can this be enforced at the organization level?

Question 82easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO Organization Policy constraints are commonly used to enhance security in a DevOps environment?

Question 83mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

When bootstrapping a Google Cloud organization for DevOps, which THREE steps are essential to set up a secure CI/CD foundation using Cloud Build?

Question 84hardmulti select
Review the full routing breakdown →

A Cloud Build pipeline that deploys a container to Cloud Run fails with the error: `Missing required permission run.routes.invoke`. The Cloud Build service account has the 'Cloud Run Invoker' role. Which TWO additional steps should be taken?

Question 85easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. The output shows three folders created directly under the organization node. Which gcloud command was most likely executed to produce this output?

Network Topology
gcloud resource-manager folders listorganization=123456789012Output:DISPLAY_NAME PARENT_NAME IDProduction organizations/123456789012 987654321Staging organizations/123456789012 876543210Development organizations/123456789012 765432109
Question 86mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. A Cloud Build pipeline using this configuration fails on the third step with a permission error. The Cloud Build service account has the 'Cloud Run Admin' role. What is the most likely missing permission?

Network Topology
args: ['gcloud'image'region'steps:- name: 'gcr.io/cloud-builders/docker'args: ['build', '-t', 'us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest', '.']args: ['push', 'us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest']- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
Question 87hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. A DevOps engineer assigned this custom role to a service account used in Cloud Build. The pipeline fails when trying to access a secret stored in Secret Manager. Which permission is missing?

Exhibit

{
  "name": "projects/my-project/roles/customDevOpsRole",
  "title": "Custom DevOps Role",
  "description": "For CI/CD pipelines",
  "includedPermissions": [
    "cloudbuild.builds.create",
    "cloudbuild.builds.get",
    "artifactregistry.repositories.downloadArtifacts",
    "artifactregistry.repositories.uploadArtifacts",
    "run.routes.invoke",
    "run.services.update"
  ]
}
Question 88easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is setting up a new Google Cloud organization. They want to apply a consistent set of IAM roles to all projects within a specific department. What is the most efficient method to achieve this?

Question 89mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer is bootstrapping a CI/CD pipeline using Cloud Build. They need to ensure that only specific service accounts can trigger builds on certain branches. What is the recommended approach?

Question 90hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization has multiple projects under a common folder. They want to enforce that all projects use the same VPC network from a central host project. However, one project needs to use a different VPC due to compliance requirements. How can this be achieved?

Question 91easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A startup wants to implement Infrastructure as Code (IaC) using Terraform for their Google Cloud environment. They need to manage state files securely. What is the best practice?

Question 92mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps team is setting up a Google Cloud organization and wants to ensure that all billing alerts are centrally managed. What should they do?

Question 93hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization has a policy that all projects must have Cloud Logging enabled and logs must be retained for at least 365 days. What is the most efficient way to enforce this across all projects?

Question 94easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO are best practices when setting up a Google Cloud organization for multiple teams? (Select exactly 2)

Question 95mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which THREE actions should be taken when bootstrapping a CI/CD pipeline on Google Cloud? (Select exactly 3)

Question 96hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Which TWO are valid methods to manage service account keys securely? (Select exactly 2)

Question 97mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. A DevOps engineer tries to create a project but gets this error. What is the most likely cause?

Exhibit

```
$ gcloud organizations list
ID: 123456789012
$ gcloud projects create my-project --organization=123456789012
ERROR: (gcloud.projects.create) FAILED_PRECONDITION: Project creation is restricted.
```
Question 98hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. A DevOps engineer applies this Terraform configuration but gets an error: "Error creating Project: googleapi: Error 403: The caller does not have permission to enable services". What is the most likely cause?

Exhibit

```
resource "google_project" "my_project" {
  name       = "My Project"
  project_id = "my-project-123"
  org_id     = "123456789012"
  auto_create_network = false
}
resource "google_project_service" "compute" {
  project = google_project.my_project.project_id
  service = "compute.googleapis.com"
}
```
Question 99hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Your company has recently migrated to Google Cloud and has set up an organization with three folders: Development, Staging, and Production. Each folder contains multiple projects. The DevOps team has established a centralized CI/CD pipeline using Cloud Build and Artifact Registry in a tools project under the Development folder. They want to ensure that only images built by the CI/CD pipeline are allowed to be deployed to the Production environment. They have configured Binary Authorization with a policy that requires attestations from the Cloud Build service account. However, a developer accidentally pushes a container image directly from their local machine to Artifact Registry using their personal IAM permissions, and then deploys that image to a Production project by bypassing the CI/CD pipeline. How can you prevent this from happening in the future?

Question 100easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company wants to ensure that all projects in the organization have Cloud Resource Manager API enabled. What is the most efficient method?

Question 101mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer needs to set up a centralized logging solution for multiple projects. They want to store logs in a BigQuery dataset for analysis. What is the best approach?

Question 102hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization is using Cloud Source Repositories and wants to enforce that all commits are signed with a verified GPG key. How can they enforce this?

Question 103mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping a new Google Cloud organization. They want to ensure that all projects are created under specific folders and that certain IAM roles are automatically granted to a group for new projects. What is the most efficient approach?

Question 104hardmultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer notices that developers are accidentally deleting Cloud Storage buckets. The organization wants to prevent accidental deletion while still allowing developers to manage bucket objects. What is the best practice?

Question 105easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company uses Cloud Build and wants to trigger builds only from the master branch. Which configuration is required?

Question 106mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

An organization wants to enforce that all Compute Engine VMs use only specific machine families (e.g., N2, C2). Which mechanism should they use?

Question 107mediummulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A team is bootstrapping a new Google Cloud organization. Which TWO practices are recommended for managing project creation and resource hierarchy? (Choose two.)

Question 108hardmulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A DevOps engineer is designing a CI/CD pipeline using Cloud Build. Which TWO configurations are necessary to ensure secure and reliable deployments? (Choose two.)

Question 109easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company wants to implement a DevOps culture in their new Google Cloud organization. Which THREE practices align with Google's DevOps principles? (Choose three.)

Question 110easymultiple choice
Read the full NAT/PAT explanation →

You are a DevOps engineer for a startup bootstrapping their Google Cloud organization. They have a single project for all environments (dev, test, prod) and a flat resource hierarchy. Recently, a developer accidentally deleted a production Cloud Storage bucket, causing data loss. The team wants to prevent this in the future with minimal disruption. They also want to enforce that all new projects follow a naming convention like 'company-environment-xxx'. The CTO wants a solution using native Google Cloud services without third-party tools. What should you do?

Question 111mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A financial company is bootstrapping their Google Cloud organization for DevOps. They have strict compliance requirements: all projects must be under a folder hierarchy based on business units, and each project must have a Cloud Storage bucket with a retention policy of at least 1 year. They have 50 existing projects that need to be migrated into this hierarchy, and all future projects must comply. The team wants to automate as much as possible using Google Cloud services. Currently, projects are created manually with various ad-hoc permissions. What is the best approach to meet these requirements?

Question 112hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is bootstrapping their Google Cloud organization. They have multiple business units in different countries, each with its own compliance requirements (e.g., data residency, encryption keys). The organization structure must support: (1) each business unit as a separate folder with its own admin; (2) projects within each folder must have a label 'bu-<businessunit>'; (3) all resources must be created in regions allowed by the business unit; (4) audit logging must be centralized. They have 200 existing projects and 10,000 VMs. The team wants to use Google Cloud's native tools to enforce these policies without third-party software. What is the most effective first step?

Question 113easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A small team is setting up a Google Cloud organization for their DevOps pipeline. They have zero existing projects. Their planned architecture uses Cloud Build for CI/CD, Cloud Source Repositories for code, and Artifact Registry for images. They want to ensure that developers can only deploy to the production environment after code review and approval. They also want to automatically trigger builds on commits to the main branch. Which of the following is the most efficient way to implement this?

Question 114mediummultiple choice
Read the full VPN explanation →

A DevOps team is migrating their infrastructure to Google Cloud. They have a complex environment with multiple VPC networks, shared services, and separate development and production projects. They want to bootstrap a new organization that supports: (1) centralized network management with shared VPC, (2) separate folders for dev and prod, (3) consistent firewall rules across all projects, (4) a single Cloud NAT for outbound traffic. They have an existing on-premises VPN that must connect to all projects. What is the most efficient approach?

Question 115hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise is bootstrapping a Google Cloud organization with strict security requirements. They need to: (1) enforce multi-factor authentication (MFA) for all users, (2) prevent any new project from using default VPCs, (3) require customer-managed encryption keys (CMEK) for all Cloud Storage buckets, (4) automatically revoke access for offboarded employees within 24 hours. They have an existing Active Directory and plan to use Google Cloud's Identity Platform for SSO. Which combination of Google Cloud services and policies should they implement?

Question 116easymultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A startup is bootstrapping their Google Cloud organization with the following constraints: they have a small team of 10 developers, each with varying levels of expertise. They want a simple setup that allows developers to experiment in their own projects but prevents them from deleting production resources. They also want to enforce a budget limit on each project to avoid unexpected costs. The team has no prior Google Cloud experience and wants minimal operational overhead. Which of the following approaches best meets their needs?

Question 117mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A government agency is bootstrapping a Google Cloud organization with strict compliance requirements. They must: (1) store all logs in a centralized project with retention of 7 years, (2) ensure no data leaves the United States, (3) use customer-managed encryption keys (CMEK) for all persistent disks and buckets, (4) automatically reject any resource creation outside allowed regions (us-central1 and us-east1). They have an existing on-premises SIEM that needs to receive logs via Pub/Sub. The network team wants to use Shared VPC. What is the correct order of steps to implement this?

Question 118mediummultiple choice
Read the full Bootstrapping a Cloud organization for DevOps explanation →

Refer to the exhibit. A DevOps engineer is bootstrapping a Google Cloud organization and wants to ensure that no Compute Engine VM instances can have external IP addresses. The engineer applies this Terraform configuration. What is the effect of this configuration on the organization?

Exhibit

resource "google_organization_policy" "restrict_vm_external_ip" {
  org_id     = "123456789"
  constraint = "constraints/compute.vmExternalIpAccess"
  boolean_policy {
    enforced = true
  }
}
Question 119easymulti select
Read the full Bootstrapping a Cloud organization for DevOps explanation →

A company is bootstrapping a Google Cloud organization for DevOps. Which TWO practices should be implemented to ensure secure and efficient management of infrastructure as code (IaC) pipelines?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCDOE Practice Test 1 — 10 Questions→PCDOE Practice Test 2 — 10 Questions→PCDOE Practice Test 3 — 10 Questions→PCDOE Practice Test 4 — 10 Questions→PCDOE Practice Test 5 — 10 Questions→PCDOE Practice Exam 1 — 20 Questions→PCDOE Practice Exam 2 — 20 Questions→PCDOE Practice Exam 3 — 20 Questions→PCDOE Practice Exam 4 — 20 Questions→Free PCDOE Practice Test 1 — 30 Questions→Free PCDOE Practice Test 2 — 30 Questions→Free PCDOE Practice Test 3 — 30 Questions→PCDOE Practice Questions 1 — 50 Questions→PCDOE Practice Questions 2 — 50 Questions→PCDOE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Bootstrapping a Google Cloud organization for DevOpsManaging service incidentsManaging Google Cloud costsBuilding and implementing CI/CD pipelinesImplementing service monitoring strategiesOptimizing service performance

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Bootstrapping a Google Cloud organization for DevOps setsAll Bootstrapping a Google Cloud organization for DevOps questionsPCDOE Practice Hub