Arrange the steps to recover a Google Cloud SQL instance from a point-in-time backup.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Identify time, clone, verify, promote, update connections.
68 questions · Cicd Pipelines topic · All types, answers revealed
Arrange the steps to recover a Google Cloud SQL instance from a point-in-time backup.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Identify time, clone, verify, promote, update connections.
A team implements canary deployments using Cloud Deploy and deploys to GKE. They want to automatically roll back if the canary release's error rate exceeds 5% within 10 minutes. Which approach should they use?
Cloud Deploy can use a 'canary' strategy with metrics-based promotion/rollback.
Why this answer
Option C is correct because Cloud Deploy supports integration with Cloud Monitoring for automated rollback on metric thresholds. Option A is incorrect - manual rollback doesn't meet the automatic requirement. Option B is incorrect - GKE rolling update is not canary.
Option D is incorrect - Spinnaker is not native to GCP and not automatically integrated with Cloud Deploy.
A company uses Cloud Build to compile a Java application. The build takes 15 minutes due to dependency downloads. They want to cache the Maven dependencies to speed up subsequent builds. What is the best approach?
Cloud Build volumes persist data across steps and builds, ideal for caching dependencies.
Why this answer
Option B is correct because Cloud Build supports volumes that can be used to cache directories between builds. Option A is possible but less integrated. Option C is not for Maven specificly.
Option D is not a native Cloud Build feature.
A Cloud Build pipeline uses the above cloudbuild.yaml. When triggered, the deploy step fails with: 'ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'run.services.update' denied on resource.' The Cloud Build service account has the 'Cloud Run Admin' role. What is the most likely cause?
Nested builds use the default Cloud Build service account of the second build, which may lack permissions.
Why this answer
Option B is correct because when a Cloud Build pipeline uses a nested `gcloud builds submit` command, the nested build runs under the default Compute Engine service account (or a user-specified service account) rather than the top-level Cloud Build service account. Even if the top-level service account has the Cloud Run Admin role, the nested build's service account may lack the `run.services.update` permission, causing the deploy step to fail with PERMISSION_DENIED.
Exam trap
Google Cloud often tests the misconception that all steps in a Cloud Build pipeline share the same service account, when in fact nested builds use a different service account by default, leading to unexpected permission errors.
How to eliminate wrong answers
Option A is wrong because the substitution variable ${_ENV} is a user-defined substitution that is passed to the top-level build; if it were missing, the error would be about an undefined variable or incorrect resource name, not a permission denied error. Option C is wrong because the `gcr.io/cloud-builders/gcloud` image fully supports `gcloud run deploy`; it is the official Google-maintained image for running gcloud commands in Cloud Build. Option D is wrong because the problem statement explicitly says the Cloud Build service account has the 'Cloud Run Admin' role, which includes the `run.services.update` permission; the error arises from a different service account used in the nested build.
Which GCP service is used to store build artifacts such as Docker images?
Both Artifact Registry and Container Registry can store Docker images.
Why this answer
Option D is correct because both Artifact Registry and Container Registry can store Docker images, though Artifact Registry is the recommended service. Option A is for object storage, not container images.
During a Cloud Build execution, a step fails due to timeout. What is the first thing to check?
Logs provide details on what caused the step to hang or fail.
Why this answer
When a Cloud Build step fails due to a timeout, the build logs are the first and most authoritative source of diagnostic information. They contain the exact error messages, exit codes, and step output that reveal why the step exceeded its timeout — for example, a hanging command, a missing dependency, or a resource contention issue. Checking logs before making any configuration changes ensures you address the root cause rather than treating symptoms.
Exam trap
Google Cloud often tests the misconception that a timeout is always a performance or configuration issue, leading candidates to jump to increasing resources or timeout values, when the correct first step is always to inspect the build logs for the actual error.
How to eliminate wrong answers
Option A is wrong because network connectivity issues typically manifest as connection refused or DNS resolution errors, not as a generic timeout; the logs would still show those errors, so checking logs first is still the correct step. Option C is wrong because increasing the machine type addresses performance bottlenecks but does not fix a timeout caused by an infinite loop, a stuck process, or a misconfigured command — the logs must be examined first to determine if the timeout is due to resource starvation. Option D is wrong because increasing the timeout in cloudbuild.yaml only masks the underlying problem; if a step is hanging indefinitely, a longer timeout will just delay the failure, and the logs must be checked to understand why the step is not completing within the original limit.
Which TWO options are valid methods to trigger a Cloud Build build when code is pushed to a Cloud Source Repository?
Cloud Build can be triggered by Pub/Sub messages via a trigger.
Why this answer
Options A and D are correct. Cloud Build triggers can be based on branch or tag push, and can also be triggered via Pub/Sub message. Option B is incorrect - Cloud Build does not directly listen to Cloud Pub/Sub subscriptions without a trigger.
Option C is incorrect - builds are not automatically triggered by Cloud Logging. Option E is incorrect - Cloud Scheduler cannot directly trigger a build without a Pub/Sub or HTTP intermediary.
Which THREE are benefits of migrating from Jenkins to Cloud Build?
Cloud Build is serverless.
Why this answer
Option A is correct because Cloud Build is a fully managed CI/CD service that runs on Google Cloud's infrastructure, eliminating the need for users to provision, configure, or maintain build servers. Unlike Jenkins, which requires ongoing administration of the Jenkins master and agent nodes, Cloud Build automatically scales resources and handles underlying server maintenance, including OS patches and hardware failures.
Exam trap
Google Cloud often tests the misconception that Cloud Build supports any VCS or includes built-in security scanning, when in reality it has specific VCS integrations and relies on external tools for security scanning.
A team is implementing a CI/CD pipeline for a Kubernetes application. They want to use canary deployments with traffic splitting. Which tool or service is best suited for this?
Cloud Deploy provides native support for canary deployments and traffic splitting via Skaffold.
Why this answer
Cloud Deploy with Skaffold is best suited for canary deployments with traffic splitting because Cloud Deploy provides built-in support for progressive delivery strategies, including canary and blue-green deployments, and integrates with Skaffold to manage Kubernetes manifests and traffic routing via service mesh or ingress controllers. Skaffold handles the build and deploy stages, while Cloud Deploy orchestrates the rollout with automated traffic splitting and promotion/rollback logic, making it the only option that directly addresses the requirement.
Exam trap
The trap here is that candidates often confuse Cloud Build (a build tool) with a full deployment orchestrator, or assume Cloud Run can handle Kubernetes canary deployments, but Cloud Deploy with Skaffold is the only option that provides native, automated traffic splitting for Kubernetes applications.
How to eliminate wrong answers
Option A is wrong because Cloud Run is a serverless compute platform for stateless containers, not a CI/CD pipeline tool, and it does not support traffic splitting for canary deployments in the same way as Kubernetes-based progressive delivery. Option B is wrong because Cloud Build is a CI/CD build and test service that compiles source code and creates artifacts, but it lacks native support for orchestrating canary deployments or traffic splitting on Kubernetes. Option D is wrong because Anthos Config Management is a policy and configuration management tool for enforcing cluster state and GitOps workflows, not a deployment pipeline service that handles traffic splitting or canary rollouts.
A company uses Cloud Build with a custom service account that has minimal permissions. The build needs to deploy to Cloud Run. After configuring the service account with roles/run.admin, the build fails with 'Permission denied' on gcloud run deploy. What is the most likely cause?
Cloud Build needs to impersonate the runtime service account; roles/iam.serviceAccountUser is required.
Why this answer
Option B is correct because deploying to Cloud Run requires the iam.serviceAccountUser role on the runtime service account to impersonate it. Option A is not relevant. Option C is a different error.
Option D is not required.
A fintech company deploys a critical payment service on GKE using Cloud Deploy with a canary deployment strategy. They want to automatically roll back if the canary release causes an increase in error rates over 1%. They have set up Cloud Monitoring to expose a custom metric 'error_rate' from the service. They want Cloud Deploy to evaluate this metric during the canary phase and roll back if the threshold is exceeded. What is the minimal configuration needed?
This configures automatic metric-based verification and rollback in the canary phase.
Why this answer
Option A is correct: Cloud Deploy supports 'canaryDeployment' with phases and requires a verification job that queries Stackdriver metrics. Defining a 'stackdriverMetrics' verification job in the Skaffold configuration achieves this. Option B is incorrect because the rollout strategy 'strategy' is not a top-level field; it's part of the pipeline.
Option C is incorrect because Cloud Deploy does not inherently know the metrics; a verification job must be defined. Option D is incorrect because additional phases are not needed and don't enable metric evaluation.
A team uses Spinnaker on GKE for deployment. They notice that deployments are taking too long because of manual judgment gates. They want to automatically approve deployments if the canary analysis passes predefined thresholds. What Spinnaker feature should they use?
ACA with Kayenta automates canary evaluation based on metrics thresholds.
Why this answer
Option D is correct because Spinnaker's Automated Canary Analysis (ACA) feature allows teams to define canary analysis thresholds and automatically promote or roll back deployments based on the analysis results, eliminating the need for manual judgment gates. This directly addresses the requirement to automatically approve deployments when predefined thresholds are met, without human intervention.
Exam trap
The trap here is that candidates may confuse the Policy Engine (OPA) with automated approval logic, but OPA is for policy enforcement (e.g., 'only deploy from master branch'), not for statistical canary analysis and automated promotion.
How to eliminate wrong answers
Option A is wrong because automated rollback is a reactive mechanism that reverts a deployment after a failure is detected, not a proactive feature to automatically approve deployments based on canary analysis. Option B is wrong because the Policy Engine with OPA (Open Policy Agent) is used for enforcing governance and compliance policies (e.g., restricting which accounts can deploy), not for automating canary analysis approvals. Option C is wrong because Pipeline Expressions are used for dynamic parameterization and conditional logic within pipeline stages, but they cannot perform the statistical analysis of canary metrics required for automated approval.
A CI/CD pipeline must deploy to multiple environments (dev, staging, prod) with manual approval required before prod deployment. Which Google Cloud service is best for orchestrating this?
Cloud Deploy supports manual approvals and promotion across targets.
Why this answer
Cloud Deploy provides a delivery pipeline with sequential stages and manual approval gates, making it ideal for multi-environment deployments.
A team uses Cloud Build with a cloudbuild.yaml that deploys to multiple environments. They want to ensure that the production deployment step only runs when the build is triggered by a tag matching 'v*.*.*'. Which TWO configurations achieve this? (Choose two.)
Conditional step execution based on tag substitution.
Why this answer
Option A is correct because Cloud Build supports substitution variables like $TAG_NAME, which can be used in a 'waitFor' condition or as part of a step's entrypoint logic to gate execution. By checking if $TAG_NAME matches the glob pattern 'v*.*.*', the production deployment step will only run when the build is triggered by a matching tag, ensuring environment-specific control within a single cloudbuild.yaml.
Exam trap
Google Cloud often tests the distinction between branch-based and tag-based triggers, and candidates mistakenly apply branch filters (like '^main$') or branch-name checks when the requirement explicitly specifies tag-based triggers, leading them to select options C or D.
A build step needs to access a secret stored in Secret Manager. How should the secret be passed to the build step?
This is the secure method to access secrets in Cloud Build.
Why this answer
Cloud Build's availableSecrets field allows you to securely access secrets from Secret Manager and inject them as environment variables or volumes.
A company uses Cloud Build with a private pool in a shared VPC to access on-premises resources. Several builds fail intermittently with 'failed to connect to backend' errors when trying to pull from a private npm registry hosted on-premises. The error occurs only during peak hours. What is the most likely cause?
Peak hours increase concurrent builds, exhausting pool capacity.
Why this answer
The intermittent 'failed to connect to backend' errors during peak hours point to resource exhaustion in the private pool. Private pools have a fixed number of workers; when all workers are busy, new builds must wait, and if the queue or connection timeout is exceeded, the build fails. This is a classic capacity issue, not a DNS, certificate, or firewall problem.
How to eliminate wrong answers
Option A is wrong because DNS caching issues would cause persistent failures, not just during peak hours, and Cloud Build uses the VPC's DNS resolution which is stable. Option C is wrong because SSL certificate issues would cause TLS handshake failures, not generic 'failed to connect' errors, and the service account does not manage certificates for outbound connections. Option D is wrong because if the on-premises firewall were blocking Cloud NAT IPs, the failures would be consistent, not intermittent and tied to peak hours.
A developer wants to trigger a Cloud Build execution whenever a pull request is created against the main branch in Cloud Source Repositories. Which Cloud Build trigger configuration should be used?
Cloud Build triggers support pull request events with branch filtering.
Why this answer
Option B is correct because Cloud Build triggers can be configured to respond to pull request events on a specific branch. Option A is for push events on main branch. Option C is for tags.
Option D is for manual trigger.
A company is implementing CI/CD for a microservices application on Google Kubernetes Engine (GKE). The team wants to ensure that each service can be built and deployed independently without affecting other services. They also need to enforce that only successfully tested builds are deployed to production. Which CI/CD approach should they use?
This approach provides independent builds and automated promotion based on tests.
Why this answer
Option A is correct because it uses separate Cloud Build triggers per microservice to enable independent builds, and Cloud Deploy with canary deployments and automated promotion after tests pass ensures that only successfully tested builds reach production. This approach aligns with the requirements of independent service deployment and gated promotion to production on GKE.
Exam trap
Google Cloud often tests the distinction between independent service pipelines versus monolithic pipelines, and the trap here is assuming that a single pipeline or manual gates can satisfy both independence and automated gating, leading candidates to choose options like C or D.
How to eliminate wrong answers
Option B is wrong because it deploys to Cloud Run instead of GKE, which does not meet the requirement of using GKE for the microservices application. Option C is wrong because a single Cloud Build trigger that builds all services violates the independence requirement, and manual promotion to production does not enforce automated gating based on test success. Option D is wrong because Spinnaker with a single pipeline that builds all services also violates independence, and manual judgment gates are not automated promotion after tests pass.
An organization wants to implement a CI/CD pipeline that automatically deploys to a staging environment on every push to the main branch, and deploys to production only after a manual approval. They use Cloud Build and Cloud Deploy. What is the best way to configure this?
Cloud Deploy supports automatic promotion to staging and manual approval to production.
Why this answer
Option A is correct because Cloud Deploy natively supports delivery pipelines with multiple targets, where you can configure automatic promotion to staging and require manual approval for production. This aligns with the requirement for a CI/CD pipeline that deploys to staging on every push to main and to production only after manual approval, using Cloud Build for the build and Cloud Deploy for the deployment orchestration.
Exam trap
Google Cloud often tests the distinction between Cloud Build (build and test) and Cloud Deploy (deployment orchestration with approval gates), so the trap here is assuming Cloud Build alone can handle manual approvals or multi-environment promotion, when Cloud Deploy is the correct service for that workflow.
How to eliminate wrong answers
Option B is wrong because it suggests using a single Cloud Build pipeline with conditional steps based on branch name, but Cloud Build is a build and test service, not a deployment orchestrator; it lacks native support for manual approval gates and promotion between environments, which is a core requirement. Option C is wrong because it describes traffic splitting on Cloud Run, which is a canary deployment strategy, not a CI/CD pipeline with separate staging and production targets requiring manual approval; Cloud Deploy is the appropriate service for such multi-target pipelines. Option D is wrong because it proposes using two separate Cloud Build triggers with manual trigger for production, but Cloud Build triggers do not provide a built-in manual approval workflow; Cloud Deploy's delivery pipeline with approval targets is the designed solution for this pattern.
Which THREE are best practices for securing a CI/CD pipeline on Google Cloud?
Secret Manager integrates with Cloud Build for secure access.
Why this answer
Options A, C, and D are correct. Using a private pool avoids exposure to public internet, storing credentials in Secret Manager avoids hardcoding, and using Binary Authorization ensures container integrity. Option B is incorrect - using personal credentials is insecure.
Option E is incorrect - running builds on a public pool is less secure.
A startup is building a CI/CD pipeline for their Cloud Run service. They use Cloud Build to build a Docker image, push it to Artifact Registry, and then deploy to Cloud Run with the 'gcloud run deploy' command in the build config. The initial deployment works, but subsequent builds fail at the deploy step with a permission error: 'Permission denied to deploy revision to Cloud Run service'. The Cloud Build service account has the Cloud Run Developer role. The developers can manually deploy from their workstations using their own accounts. What is the most likely cause?
Cloud Deploy (and gcloud run deploy) requires the caller to have actAs permission on the identity being used by the Cloud Run service.
Why this answer
Option D is correct: Cloud Run requires the service account to have the 'iam.serviceAccounts.actAs' permission on the runtime service account used by Cloud Run (the compute engine default service account or a custom one). The Cloud Run Developer role alone does not include this. Option A is incorrect because the error is permission-related, not API enablement.
Option B is incorrect because Artifact Registry permissions are for pushing images, not deploying. Option C is incorrect because Cloud Build uses its own service account, not user credentials.
A company is using Cloud Build to build a Go application. The build fails with an error 'no Go files in /workspace'. What is the most likely cause?
The error indicates no Go files found in /workspace, confirming a directory mismatch.
Why this answer
Cloud Build copies the repository contents to /workspace. If the Go source files are in a subdirectory, the build step might be pointing to the wrong directory.
A company runs a CI/CD pipeline using Cloud Build and Cloud Deploy for a web application. The pipeline builds a container image, pushes it to Artifact Registry, and then deploys it to a GKE cluster using Cloud Deploy. Recently, the deployment step started failing with the error: 'INVALID_ARGUMENT: The release contains one or more images that are not in the target project's Artifact Registry.' The container image is built in the same project as the target cluster. The Cloud Build service account has been granted the roles/cloudbuild.builds.builder and roles/artifactregistry.admin on the project. The DevOps engineer verified that the image exists in Artifact Registry and the path is correct. What should the DevOps engineer do to resolve the issue?
The most common cause is a misconfigured image reference in the delivery pipeline. Correcting the path resolves the error.
Why this answer
Option C is correct because the error 'INVALID_ARGUMENT: The release contains one or more images that are not in the target project's Artifact Registry' indicates that the Cloud Deploy delivery pipeline is referencing an image path that does not match the actual location of the image. Even though the image exists in Artifact Registry and the path appears correct, Cloud Deploy validates the image reference (including project ID, repository name, and image tag) against the target project's registry. The engineer must ensure the delivery pipeline YAML or configuration explicitly specifies the correct full image path, including the project ID and repository, so that Cloud Deploy can resolve and verify the image during release creation.
Exam trap
The trap here is that candidates assume the error is a permissions issue (leading them to grant roles to service accounts) when it is actually a configuration mismatch in the image path referenced by the Cloud Deploy delivery pipeline.
How to eliminate wrong answers
Option A is wrong because storing images in a different repository does not address the root cause—the mismatch between the image path referenced in the Cloud Deploy pipeline and the actual image location; it would only shift the problem to another repository. Option B is wrong because the Cloud Deploy service account does not need roles/artifactregistry.reader; Cloud Deploy uses the Cloud Build service account or the user's credentials to read images, and the error is about path resolution, not permissions. Option D is wrong because the roles/clouddeploy.jobRunner role is for executing deployment jobs, not for resolving image references; the issue is a configuration mismatch in the delivery pipeline, not a missing role on the Cloud Build service account.
Match each Google Cloud deployment strategy to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Two identical environments; switch traffic
Gradually replace instances with new version
Route small traffic percentage to new version
Compare two versions based on user metrics
New version receives mirrored traffic without impact
Why these pairings
Common deployment strategies for minimizing risk.
A DevOps team wants to automate the deployment of a containerized application to multiple GKE clusters across different regions. They are using Cloud Build to build the container and Cloud Deploy for deployment. Which Cloud Deploy resource should they configure to define the deployment order and target clusters?
Delivery pipeline specifies targets and promotion order.
Why this answer
Option B is correct because a delivery pipeline defines the promotion sequence and targets. Option A is incorrect as a Cloud Build trigger only starts builds. Option C is incorrect - a release is a specific snapshot, not the pipeline.
Option D is incorrect - a rollout targets a single target.
A team is using Cloud Build to build a Docker image and push to Artifact Registry. After each build, they want to automatically trigger a deployment to Cloud Run. What is the best way to achieve this?
Cloud Run triggers can automatically deploy new images pushed to Artifact Registry.
Why this answer
Option C is correct because Cloud Run natively supports continuous deployment from Artifact Registry: when a new image is pushed to the registry, Cloud Run can automatically deploy the latest image without requiring an external pipeline or scheduler. This is the simplest and most direct approach, as it eliminates the need for additional CI/CD orchestration while ensuring deployments happen immediately after each successful build.
Exam trap
The trap here is that candidates often over-engineer the solution by choosing Cloud Deploy (Option B) because it is a dedicated deployment tool, but the question specifically asks for the 'best way' to trigger a deployment after a single build, where Cloud Run's built-in continuous deployment is simpler and more direct.
How to eliminate wrong answers
Option A is wrong because using a Cloud Build builder to deploy to Cloud Run in the same pipeline couples the build and deployment steps, which violates the principle of separation of concerns and makes it harder to manage rollbacks or approvals; it also requires the Cloud Build service account to have deployment permissions, increasing security risk. Option B is wrong because Cloud Deploy is designed for multi-target, progressive delivery (e.g., canary, blue/green) and adds unnecessary complexity for a simple single-service deployment triggered by a single image push. Option D is wrong because Cloud Scheduler polling for new images introduces latency (up to the polling interval) and inefficiency, and it is not event-driven; it also requires custom logic to compare image digests, making it brittle and harder to maintain.
A company uses Cloud Source Repositories and wants automatic builds on pull requests to the main branch. Which Cloud Build trigger type should they configure?
This trigger runs builds for all pull request events.
Why this answer
A pull request trigger in Cloud Build allows you to run builds automatically when a pull request is opened, synchronized, or updated.
A company has a monorepo with multiple microservices. They want to only build and deploy the service that changed. What CI/CD practice should they implement?
Cloud Build steps can be guarded with bash commands checking git diff output.
Why this answer
Using git diff to detect changes in specific paths allows conditional build steps in Cloud Build, triggering only the affected service.
A team uses Cloud Build with a Kaniko builder to containerize their application. The build fails with the error: 'failed to push to destination: failed to get credentials: failed to get credential from metadata service: failed to fetch metadata...' What is the most likely cause?
Missing push permissions cause credential failures.
Why this answer
The error indicates that Kaniko cannot authenticate to push the built image to Container Registry. Kaniko uses the Cloud Build service account's credentials to authenticate with the registry. By default, the Cloud Build service account has the storage.objectViewer role on the Container Registry bucket, which allows pulling images but not pushing.
To push, the service account needs the storage.objectAdmin or storage.objectCreator role on the bucket. Option D correctly identifies this missing permission as the most likely cause.
Exam trap
Google Cloud often tests the misconception that Kaniko requires a Docker daemon (Option A), but the real issue is almost always a missing IAM permission on the target registry bucket.
How to eliminate wrong answers
Option A is wrong because Kaniko is specifically designed to build container images without requiring a Docker daemon; it runs entirely in userspace. Option B is wrong because the error message is about pushing credentials, not about pulling a base image; an inaccessible base image would produce a 'failed to pull' or 'image not found' error. Option C is wrong because an invalid Dockerfile instruction would cause a build-time syntax or execution error, not a credential failure during the push phase.
A company uses Cloud Deploy to manage rollouts to GKE. They need to implement a deployment strategy where a new version receives 10% of traffic for 30 minutes, then automatically rolls forward to 100% if no issues are detected. Which THREE Cloud Deploy features are required? (Choose three.)
Canary enables traffic splitting.
Why this answer
Option A is correct because a canary deployment strategy in Cloud Deploy allows you to define phases that gradually shift traffic to a new revision. A 10% phase is the first step in this strategy, ensuring only a small subset of users experience the new version initially, which aligns with the requirement to start with 10% traffic.
Exam trap
Google Cloud often tests the distinction between required Cloud Deploy features and optional external tools like Istio, leading candidates to mistakenly include Istio-specific configurations when Cloud Deploy's native traffic management suffices.
Which TWO deployment strategies are directly supported by Cloud Deploy for GKE?
Cloud Deploy supports canary with incremental traffic shifting.
Why this answer
Options B and D are correct. Cloud Deploy supports canary and blue-green deployment strategies for GKE. Option A is incorrect - rolling update is managed by GKE directly, not Cloud Deploy as a strategy.
Option C is incorrect - shadow deployments are not supported. Option E is incorrect - A/B testing is not a built-in strategy.
Which TWO practices are recommended for implementing CI/CD pipelines on Google Cloud?
Dockerfile is the standard way to define container builds.
Why this answer
Option D is correct because using a Dockerfile to define the build process for containerized applications is a recommended practice in CI/CD pipelines on Google Cloud. It ensures that the application is built consistently across all environments, leveraging Cloud Build's native support for Dockerfiles to produce container images that can be stored in Container Registry or Artifact Registry.
Exam trap
Google Cloud often tests the misconception that a single monolithic pipeline is simpler and thus better, but the correct approach is to decouple microservices into separate pipelines for isolation and independent release cycles.
A team wants to ensure zero-downtime deployments for a Cloud Run service. They plan to gradually shift traffic from the current revision to the new one. What should they configure?
Cloud Run allows you to assign traffic percentages to revisions, enabling gradual rollouts.
Why this answer
Cloud Run supports traffic splitting, allowing you to gradually send a percentage of traffic to the new revision to monitor health before fully switching.
A development team is using Cloud Build to build and push Docker images to Artifact Registry. The builds are taking longer than expected, and the team wants to reduce build time and cost. They use a Dockerfile that installs many dependencies. Which approach should they recommend?
Kaniko's cache stores intermediate layers in a persistent volume, dramatically reducing build time for unchanged dependencies.
Why this answer
Option C is correct because using Kaniko with a persistent cache for base layers leverages cache from previous builds, speeding up builds without requiring privileged mode. Option A increases cost by adding more vCPUs without addressing inefficient caching. Option B uses Docker with privileged mode, which is slower and less secure.
Option D reduces parallelism, likely increasing build time.
A DevOps engineer is setting up a CI/CD pipeline for a Python application using Cloud Build. The build takes too long because pip install is downloading packages every time. What is the best approach to speed up the build?
Caching pip downloads across builds is the most direct optimization.
Why this answer
Option C is correct because storing pip cache in a Cloud Storage bucket and restoring it in subsequent builds reduces download time. Option A is incorrect - Docker layer caching helps but pip cache is more effective for Python. Option B is incorrect - no guarantee of faster builds.
Option D is incorrect - pre-built images may introduce more complexity and maintenance.
Refer to the exhibit. A team uses this cloudbuild.yaml to deploy a service to Cloud Run. They notice that the deployment fails intermittently with a 'permission denied' error. Which is the most likely cause?
These roles grant permission to deploy Cloud Run services.
Why this answer
The Cloud Build service account (default or custom) must have the `roles/run.admin` or `roles/run.developer` IAM role to execute `gcloud run deploy`. Without these roles, the deployment fails with a 'permission denied' error because the service account lacks the `run.services.create` and `run.services.update` permissions required to deploy or update a Cloud Run service. The intermittent nature suggests the service account may have been granted the role after some failures, or the error only surfaces when the service account's cached credentials expire.
Exam trap
Google Cloud often tests the distinction between permissions needed for different stages of a CI/CD pipeline; the trap here is that candidates assume the error is about image pushing (Artifact Registry) rather than the deployment step (Cloud Run), because both involve 'permission denied' but at different phases.
How to eliminate wrong answers
Option A is wrong because `$SHORT_SHA` is a valid Cloud Build substitution variable that resolves to the short commit SHA; it does not cause a 'permission denied' error. Option C is wrong because if the region in the `gcloud run deploy` command does not match where Cloud Run is enabled, the error would be a region mismatch or 'not found', not a 'permission denied' error. Option D is wrong because the Cloud Build service account typically has the `roles/artifactregistry.writer` role by default in many setups, and even if it lacked push permission, the error would occur during the `docker push` step, not during the `gcloud run deploy` step.
During a Cloud Build execution, the step fails with 'Error: could not find a valid 'Dockerfile' in context '.''. The build configuration file is located in a subdirectory called 'build/' and the Dockerfile is in the root of the repository. How should the team fix this?
Setting 'dir: '.' or 'dir: '/' will make Docker use the root context.
Why this answer
Option C is correct because the Cloud Build step's `dir` field explicitly sets the working directory for the step. By specifying `dir: '.'` (or the repository root), Cloud Build will look for the Dockerfile in the root context, even though the build configuration file (`cloudbuild.yaml`) resides in the `build/` subdirectory. This ensures the Docker build context points to the correct location where the Dockerfile exists.
Exam trap
Google Cloud often tests the misconception that the build configuration file's location dictates the Docker build context, leading candidates to incorrectly choose moving the config file or using substitutions, when the `dir` field is the correct and intended mechanism to control the working directory for a step.
How to eliminate wrong answers
Option A is wrong because creating a symbolic link is an unnecessary workaround that adds complexity and fragility; Cloud Build does not require or recommend symlinks for context resolution. Option B is wrong because moving the Cloud Build configuration file to the root is not required and would break the intended project structure; the `dir` field exists precisely to decouple the config file location from the build context. Option D is wrong because substitutions in Cloud Build are used for variable replacement (e.g., `$_TAG`), not for changing the build context or working directory of a step.
A DevOps team wants to implement a CI/CD pipeline for a microservices application deployed on Google Kubernetes Engine (GKE). They need to ensure that each service is built, tested, and deployed independently with minimal manual intervention. Which TWO practices should they implement?
Cloud Deploy provides deployment strategies that reduce risk and allow independent releases.
Why this answer
Option B uses Cloud Build triggers to automatically build and test each service on pull request, enabling independent CI. Option C uses Cloud Deploy for progressive delivery, facilitating safe deployments. Option A is not best practice as a single config becomes complex.
Option D opposes microservices independence. Option E focuses on source control, not CI/CD.
Which THREE of the following are best practices for securing a CI/CD pipeline using Cloud Build? (Choose 3.)
This prevents injection of malicious code from feature branches.
Why this answer
Option A is correct because restricting Cloud Build triggers to protected branches (e.g., main, release) prevents unauthorized or untested code changes from initiating builds, which is a fundamental security control for CI/CD pipelines. This ensures that only code that has passed review and is merged into stable branches can trigger automated builds, reducing the risk of malicious or erroneous code being deployed.
Exam trap
Google Cloud often tests the principle of least privilege by including overly broad IAM roles (like Storage Admin) as distractors, and candidates may mistakenly think granting full access is acceptable for simplicity, when in fact specific roles like Artifact Registry Writer or Cloud Build Service Account should be used.
Which TWO are benefits of using Cloud Build triggers to implement CI/CD pipelines?
Triggers automate builds on source code changes.
Why this answer
Option A is correct because Cloud Build triggers can be configured to automatically start a build in response to events such as a push to a repository branch or the creation of a pull request. This event-driven automation is the foundation of a CI/CD pipeline, eliminating the need for manual build initiation and ensuring that every code change is validated immediately.
Exam trap
Google Cloud often tests the misconception that triggers can directly control deployment regions or infrastructure provisioning, when in fact triggers only respond to events and start builds, with all deployment logic residing in the build configuration file.
You are a DevOps engineer for a large e-commerce platform running on Google Kubernetes Engine (GKE). The platform consists of 15 microservices, each with its own code repository. Your team uses Cloud Build for CI and Cloud Deploy for CD. Recently, the deployment to production has been failing intermittently because the new version of the 'payment' service is not compatible with the current version of the 'order' service. This causes a production outage every few weeks. The team wants to implement a strategy to catch such incompatibilities before promoting to production, without slowing down development velocity. Currently, the pipeline builds each service independently, runs unit tests, deploys to a shared staging environment, runs integration tests, and then promotes to production after manual approval. What should you do?
Canary deployments in staging catch incompatibilities early without slowing development.
Why this answer
Option B is correct because it introduces canary deployments in the staging environment, allowing the new payment service to be tested with a subset of realistic traffic alongside the current order service. This catches incompatibilities early by running integration tests against the canary, without blocking the pipeline or slowing development velocity. Cloud Deploy supports canary deployment strategies natively, making this a practical and automated solution.
Exam trap
The trap here is that candidates may choose option A (version locking) because it seems like a straightforward dependency management solution, but it ignores the need for dynamic testing under realistic traffic patterns and the requirement to maintain development velocity.
How to eliminate wrong answers
Option A is wrong because locking versions with strict compatibility matrices reduces flexibility and slows development velocity, contradicting the requirement to avoid slowing down the team. Option C is wrong because adding a manual QA testing phase introduces human delay and does not scale, failing to maintain development velocity. Option D is wrong because combining all 15 microservices into a single pipeline creates a monolithic build that increases build times, reduces parallelism, and violates the principle of independent service deployment, which is a core tenet of microservices architecture.
A team is using Cloud Build to build and deploy to multiple environments (dev, staging, prod) using Cloud Deploy. They want to ensure that only builds from the main branch are promoted to prod. How should they configure this?
Approval gating prevents automatic promotion to prod.
Why this answer
Option D is correct because Cloud Deploy's approval gate feature allows you to require manual approval before a release is promoted to a specific target, such as prod. By configuring an approval gate on the prod target, you ensure that only builds from the main branch (which can be verified via the release metadata or source) are manually approved for promotion, providing a controlled, auditable gate. This approach directly enforces the branch-based promotion policy without relying on build-time filtering or IAM restrictions.
Exam trap
Google Cloud often tests the misconception that a Cloud Build trigger restriction alone is sufficient to control promotions, but the trigger only controls build creation, not the subsequent deployment promotion, which requires a separate gate like an approval gate in Cloud Deploy.
How to eliminate wrong answers
Option A is wrong because Cloud Build tags are metadata attached to builds, but Cloud Deploy does not have a native filter to promote releases based on tags; tags are not propagated or evaluated during promotion. Option B is wrong because IAM policies on Container Registry or Artifact Registry control who can pull or push images, not which builds are promoted to prod; they cannot enforce a branch-based promotion policy. Option C is wrong because setting the Cloud Build trigger to only run on the main branch ensures that only main branch builds are created, but it does not prevent a release from that build from being promoted to prod; the trigger alone does not gate the promotion step.
A development team wants to automatically run unit tests and static code analysis on every push to a Cloud Source Repository, but only run integration tests on merges to the main branch. Which Cloud Build trigger configuration should they use?
Correct: separate triggers with branch filters allow different pipelines per branch.
Why this answer
Option C is correct because Cloud Build triggers allow you to define separate triggers with branch filters to execute different build configurations based on the branch. By creating one trigger with a branch filter of '^main$' for integration tests and another with '^.*$' for unit tests, you ensure unit tests run on every push to any branch, while integration tests run only on merges to main. This approach directly maps the desired behavior without requiring conditional logic or manual intervention.
Exam trap
The trap here is that candidates mistakenly think a single trigger with conditional steps or substitution variables can handle branch-specific logic, but Cloud Build triggers are designed to be event-filtered at the trigger level, not at the build step level.
How to eliminate wrong answers
Option A is wrong because a single trigger with a substitution variable like '_BRANCH' cannot conditionally skip steps based on the branch at trigger time; substitution variables are resolved at build time and do not control trigger execution. Option B is wrong because the 'branchName' substitution is not a valid Cloud Build trigger property for conditional step skipping; Cloud Build triggers use branch filters to determine which events fire the trigger, not to conditionally execute steps within a single build config. Option D is wrong because relying on developers to manually trigger integration tests defeats the purpose of automation and introduces human error, violating CI/CD best practices.
A company is migrating from Jenkins to Cloud Build for their CI/CD pipeline. They have a large Java monorepo with multiple modules that take over 2 hours to build and test sequentially. They want to reduce build time by running module builds in parallel. The current Jenkins pipeline uses a single Jenkinsfile that builds all modules. They have a Cloud Build config that runs 'mvn clean package' for the entire project, which is slow. They have a 2-hour Cloud Build timeout. The architecture requires that some modules depend on others. Which approach should they take to minimize build time while correctly handling dependencies?
This models the dependency graph and runs independent modules in parallel, plus caching speeds up subsequent builds.
Why this answer
Option C is correct: Using Cloud Build's 'waitFor' to model dependency DAG allows parallel builds of independent modules, reducing total time. Option A is incorrect because building each module individually without dependencies would break dependent modules. Option B is incorrect because a single build step is exactly what they have now.
Option D is incorrect because the 'mvn -pl' approach still runs on a single machine and doesn't leverage Cloud Build's parallelism.
A multinational corporation has multiple development teams working on microservices deployed to GKE clusters. They want to implement a CI/CD pipeline that ensures every container image is scanned for vulnerabilities, passes unit tests, and gets a security approval before deployment to production. They are using Cloud Build for CI and Cloud Deploy for CD. The current pipeline triggers on code push to any branch. The security team requires that all production deployments be reviewed and approved by the security team. Which set of actions best meets these requirements?
This meets all requirements: scanning, tests in Cloud Build, and approval in Cloud Deploy.
Why this answer
Option B is correct: Using Cloud Build triggers only for main branch reduces unnecessary builds; Container Analysis automatically scans images on push to Artifact Registry; Cloud Deploy can incorporate a manual approval step for the production phase. Option A is incorrect because pre-build scanning doesn't catch build-time introduced vulnerabilities. Option C is incorrect because Cloud Build does not natively support manual approvals; that is a CD responsibility.
Option D is incorrect because Cloud Build can run tests before scanning, but the approval should be in Cloud Deploy.
Which TWO are benefits of using Cloud Build private pools?
Private pools use VMs not shared with other projects.
Why this answer
Option B is correct because Cloud Build private pools provide dedicated VMs that are not shared with other Google Cloud projects. This isolation ensures consistent performance and eliminates the 'noisy neighbor' effect that can occur in public pools, where build resources are shared across multiple tenants.
Exam trap
Google Cloud often tests the misconception that private pools are always faster or cheaper than public pools, but the real benefits are isolation, custom machine types, and network control, not performance or cost.
Your team manages a CI/CD pipeline for a microservices application deployed on Google Kubernetes Engine (GKE). The pipeline uses Cloud Build to build container images and push them to Artifact Registry, then uses a Cloud Build step with kubectl to apply Kubernetes manifests stored in a separate 'manifests' repository. Recently, the team has experienced issues: sometimes a new image is deployed to production even though the corresponding pull request (PR) has not been merged into the main branch of the manifests repository. Also, rollbacks are slow because the previous image tag is overwritten. The team wants to ensure that only code that passes all tests and is merged to main is deployed, and that each deployment uses a unique immutable image tag. What should the team do?
This ensures that only merged code triggers deployments, and the full commit SHA provides an immutable unique tag for easy rollback.
Why this answer
Option B is correct because consolidating the application code and Kubernetes manifests into a single repository ensures that the image tag (full commit SHA) is uniquely tied to the exact code and manifest changes that passed all tests. By configuring Cloud Build triggers to deploy only on merges to the main branch, the team guarantees that only fully tested, merged code reaches production. Using the full commit SHA as the image tag provides immutability and enables fast, precise rollbacks by referencing the exact image from Artifact Registry.
Exam trap
Google Cloud often tests the misconception that separate repositories with branch-based triggers are sufficient for deployment integrity, when in reality the atomicity of code and manifest changes in a single repository is required to prevent untested code from reaching production.
How to eliminate wrong answers
Option A is wrong because keeping separate repositories with triggers on the main branch of both does not solve the root cause: a PR merged into the manifests repo could reference an image tag (short SHA) that was built from unmerged app code, leading to deployment of untested code. Option C is wrong because deploying on every push to main (rather than only on merges) could still deploy code that hasn't passed all tests if the trigger is misconfigured or if tests are run in parallel; also, using $COMMIT_SHA is correct but the trigger condition is insufficiently strict. Option D is wrong because using the 'latest' tag violates immutability and makes rollbacks impossible, and separate repositories with separate triggers do not enforce the atomicity of code and manifest changes, allowing mismatched deployments.
A team uses Cloud Build with a trigger on Cloud Source Repository. The build fails intermittently with error 'Failed to pull builder image 'gcr.io/cloud-builders/gcloud'' but sometimes succeeds. What is the most likely cause?
When many builds run concurrently, Cloud Build may throttle egress, causing timeouts pulling images. Reducing concurrency or using a private pool can resolve this.
Why this answer
The intermittent failure to pull the builder image 'gcr.io/cloud-builders/gcloud' indicates a transient network issue rather than a permanent misconfiguration. Cloud Build uses a shared pool of network resources, and under high concurrency, egress traffic to Container Registry can be throttled, causing pull operations to time out or fail. This explains why the build sometimes succeeds and sometimes fails, as throttling depends on the current load.
Exam trap
Google Cloud often tests the distinction between consistent misconfiguration errors (e.g., permissions, region) and transient network throttling issues, where the 'intermittent' keyword is the critical hint to choose throttling over permanent configuration problems.
How to eliminate wrong answers
Option A is wrong because Cloud Build worker pools are regional resources, but the region does not affect the ability to pull a public image from gcr.io; the error is intermittent, not a permanent region mismatch. Option B is wrong because the size of the builder image is not the cause of intermittent failures; if the image were too large, it would consistently fail or time out, not succeed sometimes. Option D is wrong because if the build service account lacked permissions to access Container Registry, the failure would be consistent (e.g., a 403 Forbidden error), not intermittent.
Refer to the exhibit. The build fails with error: 'invalid tag format' for the image. What is the issue?
If $SHORT_SHA is empty, the tag becomes 'myimage:', which is invalid. Substitutions must be defined when running the build.
Why this answer
Option A is correct because $SHORT_SHA is a substitution that may be empty if not defined, resulting in an invalid tag. Option B is incorrect because a tag is provided. Option C is incorrect because the images array triggers a push automatically.
Option D is irrelevant.
An organization uses Cloud Deploy with Skaffold to manage progressive delivery on GKE. After a rollout, the new revision shows a higher error rate in Stackdriver, but the Cloud Deploy pipeline did not automatically roll back. What is the most likely cause?
Cloud Deploy pauses at approval steps; automatic rollback only occurs during phases without requiring approval if metrics are checked via a verification job.
Why this answer
Option A is correct because Cloud Deploy can wait for manual approval or an external verification job; if the rollout strategy is set to require approval, automatic rollback is not triggered. Option B is incorrect because the rollout doesn't need to complete to trigger a rollback if metrics are monitored. Option C is incorrect because the error rate metric is not part of the pipeline unless a custom verification job is configured.
Option D is incorrect because the release configuration doesn't affect automatic rollback behavior.
A DevOps team is troubleshooting a Cloud Build pipeline that fails intermittently when building a container image. The build step uses a custom build step that runs a vulnerability scan. The error log shows: 'Step #1: Error: failed to scan image: context deadline exceeded'. The build configuration includes 'timeout: 600s'. Which is the most likely cause and solution?
The error 'context deadline exceeded' indicates the step timed out.
Why this answer
The error 'context deadline exceeded' indicates that the custom vulnerability scan step is taking longer than the build's configured timeout of 600 seconds. Cloud Build enforces a hard timeout for the entire build; if any step exceeds this duration, the build is terminated. Increasing the timeout value in the build configuration provides more time for the scan to complete, directly addressing the root cause.
Exam trap
Google Cloud often tests the distinction between resource exhaustion (memory/CPU) and timeout errors, leading candidates to mistakenly select machine type upgrades when the error message explicitly indicates a deadline exceeded.
How to eliminate wrong answers
Option A is wrong because the error is a timeout, not a missing dependency; a missing dependency would produce a 'command not found' or similar error. Option B is wrong because network latency would typically cause connection timeouts or retries, not a 'context deadline exceeded' from the scan tool itself; VPC Service Controls address data exfiltration risks, not latency. Option C is wrong because an out-of-memory error would manifest as an OOM kill or exit code 137, not a 'context deadline exceeded' message.
A financial services firm is implementing a CI/CD pipeline with Cloud Build and Artifact Registry. Their security policy requires all data to remain within a VPC Service Controls perimeter. They have configured Cloud Build to use a private worker pool with no external IP addresses and have set up VPC-SC to allow traffic between Cloud Build and Artifact Registry within the perimeter. However, builds that push Docker images to Artifact Registry fail with the error: 'denied: Unauthenticated request. Push access to the repository is denied.' The build configuration includes the step: 'steps: - name: gcr.io/cloud-builders/docker args: [push, us-central1-docker.pkg.dev/myproject/my-repo/myimage]' The Cloud Build service account has been granted roles/artifactregistry.writer on the repository. What is the most likely cause?
VPC-SC can restrict access to APIs; the Artifact Registry endpoint must be explicitly allowed in the perimeter.
Why this answer
Option C is correct because VPC Service Controls can block access to Artifact Registry API endpoints if they are not in the allowed list, resulting in a denied error even with correct IAM permissions. Option A is incorrect because Artifact Registry is regional but private pools can access any region. Option B is incorrect because IAM permissions are correct.
Option D is incorrect because the image tag is present.
A DevOps team uses Cloud Build and Cloud Deploy to deploy to GKE. They want to implement a gated deployment where a manual approval is required before promoting from staging to production. What two resources should they configure? (Select TWO)
Approval rules define stages where manual approval is needed.
Why this answer
Option C is correct because a Cloud Deploy approval rule in the delivery pipeline defines a manual gate that pauses the pipeline at a specific stage (e.g., before promoting to production) and requires explicit approval to proceed. Option D is correct because setting the `requireApproval` attribute to `true` on a Cloud Deploy target enforces that any rollout targeting that environment must receive manual approval before the deployment proceeds.
Exam trap
Google Cloud often tests the distinction between Cloud Deploy's native approval mechanism (approval rules and `requireApproval` on targets) and Cloud Build's manual approval steps, which are separate and apply to build pipelines, not deployment pipelines.
A company uses Cloud Source Repositories and Cloud Build to build and deploy a Node.js application to Google Kubernetes Engine (GKE). The build step fails intermittently with an error 'npm ERR! network timeout'. What is the most efficient way to reduce build failures?
A longer timeout reduces failures due to temporary network issues.
Why this answer
Option A is correct because configuring a proxy or specifying a longer timeout in the npm config can mitigate network timeouts. Option B is incorrect because retries in Cloud Build don't fix the underlying timeout. Option C is incorrect because moving to Artifact Registry doesn't affect npm network calls.
Option D is incorrect because increasing machine size doesn't resolve network timeouts.
An organization uses Cloud Build with a private pool to build container images that require access to on-premises Artifactory. After moving to a new VPC, builds fail with 'Connection refused' when fetching dependencies. What is the best step to troubleshoot?
Private pools require peering; missing peering stops traffic.
Why this answer
The error 'Connection refused' indicates that the Cloud Build private pool's worker VMs cannot reach the on-premises Artifactory server. Private pools are deployed in a Google-managed service producer VPC that must be connected to the customer VPC via VPC Network Peering. Without this peering and the correct routes to the on-premises network (e.g., via Cloud VPN or Dedicated Interconnect), traffic from the private pool is dropped, causing the connection refusal.
Exam trap
The trap here is that candidates confuse connectivity issues with IAM permissions or misapply Cloud NAT, thinking it provides outbound access to on-premises, when in reality private pools require VPC peering and proper routing to reach non-Google Cloud endpoints.
How to eliminate wrong answers
Option B is wrong because the dns.networks.bindPrivateZone permission is used for binding a private DNS zone to a VPC network, which is unrelated to the connectivity issue causing 'Connection refused'. Option C is wrong because Artifactory is an on-premises service, not a Google Cloud Storage bucket; the storage.objectViewer role applies to GCS buckets, not to on-premises HTTP/HTTPS endpoints. Option D is wrong because Cloud NAT provides outbound internet access for private VMs, but the private pool's VPC is the service producer VPC managed by Google, not the customer's VPC; Cloud NAT in the customer VPC does not affect the private pool's connectivity to on-premises.
A company uses Cloud Deploy for continuous delivery to GKE. They have a delivery pipeline with a rollout strategy: canary (25% for 30m) then full. The canary rollout fails because the new revision's health check errors. The team wants to automatically rollback the canary and notify. What native GCP feature can achieve this?
Cloud Deploy can automatically rollback a rollout on failure by setting rollbackPolicy to ALWAYS or ON_FAILURE.
Why this answer
Option A is correct because Cloud Deploy supports automated rollback via the rollbackPolicy in the delivery pipeline. Option B is incorrect because Cloud Build triggers are not designed for rollback automation. Option C is incorrect because post-deploy hooks are not for rollbacks.
Option D is incorrect because it requires custom scripting and is not as native as Cloud Deploy's feature.
A team is setting up CI/CD for a microservices architecture. They want to ensure each service is independently buildable and deployable. What practices should they adopt? (Select THREE)
Separate repositories provide isolation and access control per service.
Why this answer
Options A, B, and E are correct. Separate repositories (A) or separate triggers with includeFiles (B) ensure independent builds. Separate Artifact Registry repositories (E) ensure artifact isolation.
Option C builds multiple services in one config, reducing independence. Option D is about deployment targets, not builds.
A team uses a monorepo with multiple microservices in separate directories. They want to build only the changed service(s) when a push occurs to the repo. How can they achieve this efficiently?
includeFiles and excludeFiles allow triggering only when files in specific paths change.
Why this answer
Option B is correct because Cloud Build triggers can use includeFiles filters to only trigger when files in a specific directory change. Option A builds all services, which is inefficient. Option C is possible but not native.
Option D adds complexity.
Refer to the exhibit. A DevOps engineer is debugging a Cloud Build pipeline that fails after the second step. The error indicates that the docker push fails with a permission denied error. The service account used by Cloud Build has the roles/storage.objectAdmin role on the project. What is the most likely cause of the failure?
Artifact Registry requires specific roles; storage.objectAdmin is insufficient for pushing images.
Why this answer
The service account has storage.objectAdmin which grants access to Cloud Storage, not Artifact Registry. Pushing to Artifact Registry requires the roles/artifactregistry.writer (or admin) role. Option A is too vague.
Option D is already performed in the first step. Option B is less likely as the path appears correct. Option C correctly identifies the missing role.
A company uses Spinnaker for continuous delivery across multiple GKE clusters. After a recent infrastructure change, the 'Canary' deployment strategy fails during the 'disable' phase of the old version. The error log shows: 'Unable to disable server group: Not authorized to perform compute.instanceGroups.update.' What is the most likely root cause?
Correct: Spinnaker uses this permission to disable old server groups.
Why this answer
The error 'Unable to disable server group: Not authorized to perform compute.instanceGroups.update' directly indicates an IAM permissions issue. In Spinnaker, the service account used to interact with GCP must have the compute.instanceGroups.update permission to manage instance groups during the disable phase of a canary deployment. Option C correctly identifies that the Spinnaker service account lacks this specific permission on the project.
Exam trap
Google Cloud often tests the distinction between permissions errors and resource quota errors, leading candidates to incorrectly select quota-related options when the error message explicitly states 'Not authorized'.
How to eliminate wrong answers
Option A is wrong because reaching the maximum node quota would cause a failure to provision new nodes, not a permissions error during the disable phase. Option B is wrong because Cloud Deploy is a separate Google Cloud service; the error is from Spinnaker's own service account, not from a Cloud Deploy pipeline. Option D is wrong because Kayenta handles canary analysis and metric evaluation, not the disabling of server groups; the error is an IAM authorization failure, not a configuration issue with Kayenta.
A company uses Cloud Build to deploy a microservices application to Google Kubernetes Engine (GKE). They want to integrate Container Analysis to scan images for vulnerabilities before deployment. What is the minimal set of changes needed to achieve this?
Cloud Build automatically pushes images to defined registry, and Container Analysis scans them when API is enabled.
Why this answer
Option D is correct because Cloud Build natively integrates with Container Analysis; enabling the API and building the image triggers scanning automatically. Option A is incorrect - no need for a separate scan step. Option B is incorrect - Binary Authorization is for policy enforcement, not scanning.
Option C is incorrect - Artifact Registry does not replace scanning.
A team uses Cloud Build to deploy a Cloud Run service. The build fails with: 'ERROR: (gcloud.run.services.update) PERMISSION_DENIED: Permission 'run.services.update' denied on resource.' The Cloud Build service account has the Cloud Run Admin role. What is missing?
The error indicates missing permissions; Cloud Run Admin includes it.
Why this answer
Option D is correct because the error message explicitly states that the 'run.services.update' permission is denied, which means the Cloud Build service account lacks this specific permission. Although the Cloud Run Admin role includes 'run.services.update', the error indicates the role is not properly assigned or the service account is not using it. Reassigning the Cloud Run Admin role or directly granting the 'run.services.update' permission resolves the issue.
Exam trap
Google Cloud often tests the misconception that using a specific step type (like Cloud Run deployer) bypasses IAM requirements, when in fact all deployment methods require the same underlying permissions.
How to eliminate wrong answers
Option A is wrong because the Cloud Run deployer step is a convenience wrapper that still requires the same underlying IAM permissions; using it instead of the gcloud command does not bypass permission checks. Option B is wrong because the Owner role is overly permissive and unnecessary; the Cloud Run Admin role (roles/run.admin) already includes all required Cloud Run permissions, including 'run.services.update'. Option C is wrong because Cloud Run deployments are not region-restricted by the build's region; the service can be deployed to any region regardless of where Cloud Build runs.
Which TWO are best practices for implementing CI/CD on Google Cloud?
Artifact Registry is the recommended registry for Google Cloud.
Why this answer
Option B is correct because Artifact Registry is the recommended service for storing, managing, and securing container images and other artifacts in Google Cloud. It integrates natively with Cloud Build, Cloud Run, and Kubernetes, providing vulnerability scanning and IAM-based access control, which are essential for a secure CI/CD pipeline.
Exam trap
Google Cloud often tests the distinction between CI/CD tools and compute services, so candidates mistakenly select Cloud Run as a CI/CD best practice because it is a popular Google Cloud service, but it is a runtime environment, not a pipeline component.
What security checks can be integrated into a Cloud Build CI/CD pipeline? (Select TWO)
Artifact Analysis can scan container images for vulnerabilities as part of the pipeline.
Why this answer
Options A and B are correct. Container scanning with Artifact Analysis (A) is native. SAST can be added via custom steps (B).
Option C (network penetration) is external. Option D (manual code review) is a process, not a tool. Option E (DAST) is for running apps.
During a Cloud Build pipeline, a build step fails because the Docker image tag already exists in Container Registry. The team wants to avoid overwriting tags. What is the best practice to resolve this?
Commit SHA is unique per change, avoiding collisions.
Why this answer
Using the commit SHA as the image tag guarantees uniqueness because each commit produces a distinct SHA. This prevents tag collisions in Container Registry without overwriting, as the SHA is immutable for that commit. It also provides traceability back to the exact source code version that produced the image.
Exam trap
Google Cloud often tests the misconception that retries or pulling images can resolve tag conflicts, when in fact only a unique tag strategy (like commit SHA) prevents the collision at the source.
How to eliminate wrong answers
Option B is wrong because using the :latest tag encourages overwriting, which directly violates the team's requirement to avoid overwriting tags. Option C is wrong because pulling an image before building does not prevent tag conflicts; it only ensures the image is cached locally, and the build step will still fail if the tag already exists in the registry. Option D is wrong because retrying with backoff does not resolve the underlying tag collision; it will simply fail again on each retry since the tag still exists.
Refer to the exhibit. A rollout to dev succeeds, but when promoting to prod, it fails with 'Target 'prod' not found'. What is the issue?
Cloud Deploy targets must exist before they can be used in a pipeline. The error indicates the target does not exist.
Why this answer
Option A is correct because the prod target must be created before it can be referenced in a pipeline. Option B is incorrect because redeploying the pipeline won't create the target. Option C is incorrect because the error indicates the target does not exist, not that it's in a different project.
Option D is incorrect because approval is not related.
A Cloud Deploy pipeline fails during a rollout with: 'FAILED_PRECONDITION: The release is not in a state that can be promoted.' The Cloud Build service account has the IAM roles shown in the exhibit. What is the missing role or permission?
Approver role is needed for promotion.
Why this answer
The error 'FAILED_PRECONDITION: The release is not in a state that can be promoted' occurs when a Cloud Deploy pipeline attempts to promote a release but the service account lacks the `clouddeploy.releases.promote` permission. This permission is included in the `roles/clouddeploy.approver` role, which is required to trigger a promotion from one target to the next in the pipeline. Without this role, the release cannot be promoted even if other deployment permissions are present.
Exam trap
Google Cloud often tests the distinction between the `clouddeploy.operator` role (which manages releases and rollouts) and the `clouddeploy.approver` role (which specifically allows promotion), leading candidates to mistakenly choose the operator role for promotion actions.
How to eliminate wrong answers
Option A is wrong because the `roles/clouddeploy.jobRunner` role is used for executing deployment jobs (e.g., running Skaffold render/apply) and does not include the `clouddeploy.releases.promote` permission needed for promotion. Option B is wrong because the `roles/cloudbuild.builds.builder` role is for Cloud Build execution, not for Cloud Deploy release promotion; it does not grant `clouddeploy.releases.promote`. Option C is wrong because the `roles/clouddeploy.operator` role provides broader management permissions (e.g., creating releases, rollbacks) but does not include the `clouddeploy.releases.promote` permission, which is exclusive to the `roles/clouddeploy.approver` role.
A large enterprise uses Cloud Build across multiple projects for different microservices. They want to create a centralized CI/CD governance where a single trigger can initiate builds across multiple projects, but each project's artifacts must be stored in a shared Artifact Registry. What is the best way to achieve this?
Cloud Build triggers can invoke builds in other projects using the 'projects/{projectId}/builds' resource with appropriate IAM.
Why this answer
Option B is correct because using a Cloud Build trigger with a cross-project service account and a multi-project configuration is the most native approach. Option A is incorrect - triggers are per project. Option C is incorrect - service accounts in each project is less centralized.
Option D is incorrect - Cloud Functions adds unnecessary complexity.
Ready to test yourself?
Try a timed practice session using only Cicd Pipelines questions.