GCP — The Associate Certification Cheatsheet.

The Google Associate Cloud Engineer (ACE) exam (120 min, multiple-choice/select) tests whether you can deploy and operate on GCP. It's mostly "pick the right service" + "least- privilege IAM" + "right gcloud command". This sheet follows the official five domains, then the high-priority services, gcloud, and exam-style Q&A. Study order at the bottom.

1. Resource hierarchy & environment

Organization → Folder → Project → Resources. IAM and Organization Policies inherit downward. The Project is the unit of billing, quota, API enablement, and isolation — every resource lives in exactly one.

• Organization — root node, tied to a Cloud Identity / Workspace domain.
• Folders — group projects by team/env; apply policy/IAM at the folder.
• Org Policies — guardrails (constraints): restrict regions, block external IPs, enforce uniform bucket access, disable SA key creation. Different from IAM (who can do what) — org policy = what's allowed at all.
• Cloud Identity — manage users & groups; grant IAM to groups, not individuals.
• APIs — must be enabled per project (gcloud services enable).
• Cloud Asset Inventory — search/export resource + IAM metadata across the org (snapshots, exports to BigQuery).
• Resource scope: global (VPC, images, snapshots), regional (subnets, regional MIGs, regional disks), zonal (VMs, zonal disks).

2. Billing

• A billing account (paid via a payments profile) is linked to one or more projects. A project with no billing account can't use paid resources.
• Budgets + alerts — set a budget on a billing account/project; alerts at % thresholds (email/Pub/Sub). Budgets notify, they don't cap spend.
• Billing export — export detailed billing to BigQuery for analysis; labels for cost attribution.
• IAM roles: billing.admin, billing.user (link projects), billing.viewer.

3. IAM & Service Accounts (study #1)

Thing	What
Member / principal	User, group, domain, or service account.
Role	Basic (owner/editor/viewer — avoid), Predefined (per-service, e.g. roles/storage.objectViewer), Custom (exact permissions).
Policy (binding)	member + role attached to a resource. Inherited down the hierarchy.
Service Account (SA)	Identity for workloads. Has its own IAM roles; others get iam.serviceAccountUser to act as it.

• Least privilege: predefined/custom roles over basic; grant to groups; scope at the lowest node.
• Workload Identity (GKE) / attached SAs (GCE) so pods/VMs auth without key files.
• SA keys are a liability — prefer keyless (Workload Identity Federation for external/CI). Org policy can disable key creation.

gcloud projects add-iam-policy-binding PROJECT \
  --member="group:devs@ex.com" --role="roles/compute.viewer"
gcloud iam service-accounts create app-sa --display-name "app"
gcloud iam roles create myRole --project P --permissions=storage.objects.get
gcloud projects get-iam-policy PROJECT      # audit who has what

4. Compute (study #3)

• Compute Engine — VMs (IaaS). Machine families: E2/N2 (general), C2 (compute), M (memory). Preemptible/Spot = cheap, can be reclaimed. Custom machine types. Sustained-use + committed-use discounts.
• Instance templates — immutable VM blueprint; Managed Instance Group (MIG) uses a template for autoscaling, autohealing (health checks), rolling updates, regional (multi-zone) spread.
• GKE — managed Kubernetes. Standard (you manage nodes) vs Autopilot (Google manages nodes, per-pod billing). Node pools, cluster autoscaler, Workload Identity.
• Cloud Run — serverless containers, scale to zero, request/CPU billing, any language. Best for stateless HTTP/event services with no infra.
• App Engine — PaaS: Standard (sandboxed, scales to zero) vs Flexible (containers on VMs).
• Cloud Functions — serverless event-driven functions (Pub/Sub, GCS, HTTP triggers).

Pick: VM control → Compute Engine; orchestrated containers → GKE; stateless container no infra → Cloud Run; tiny event glue → Cloud Functions.

gcloud compute instances create vm1 --machine-type e2-medium --zone us-central1-a
gcloud compute instance-templates create tmpl --machine-type e2-small
gcloud compute instance-groups managed create mig --template tmpl --size 3 --region us-central1
gcloud compute instance-groups managed set-autoscaling mig --max-num-replicas 10 --target-cpu-utilization 0.6
gcloud container clusters create-auto c1 --region us-central1
gcloud run deploy svc --image REGION-docker.pkg.dev/P/repo/img --region us-central1 --allow-unauthenticated

5. Storage & databases (study #4, #7)

• Cloud Storage (GCS) — object storage. Classes: Standard (hot), Nearline (~30d), Coldline (~90d), Archive (~365d). Lifecycle rules transition/delete by age; versioning; uniform bucket-level access; signed URLs.
• Persistent Disk (block, VM-attached, zonal/regional) ; Filestore (managed NFS).

Need	Database
Managed relational (MySQL/Postgres/SQL Server), regional	Cloud SQL
Global, horizontally-scaling relational, strong consistency	Cloud Spanner
Serverless NoSQL document, mobile/web, realtime	Firestore
Wide-column, massive throughput, time-series/IoT	Bigtable
Serverless analytics / data warehouse (SQL over huge data)	BigQuery
In-memory cache	Memorystore (Redis/Memcached)

gsutil mb -c standard -l us gs://my-bucket ; gsutil cp f gs://my-bucket/
gsutil lifecycle set lifecycle.json gs://my-bucket
gcloud sql instances create db1 --database-version POSTGRES_15 --tier db-custom-2-7680 --region us-central1
bq query --use_legacy_sql=false 'SELECT count(*) FROM ds.t'

6. Networking (study #2)

Component	Role
VPC	Global resource; subnets are regional (with a CIDR). Auto or custom mode.
Firewall rules	VPC-level, stateful, by network tag / SA; priority-ordered; implied allow-egress + deny-ingress.
Routes	Where traffic goes (default to internet GW, custom for NAT/VPN).
Cloud NAT	Outbound internet for VMs with no external IP (private instances).
Cloud Load Balancing	Global external HTTP(S) (anycast IP, L7) ; regional/internal (L4 TCP/UDP). Backend services + health checks + MIGs/NEGs.
Cloud VPN / Interconnect	VPN (IPsec over internet) vs Interconnect (dedicated/partner private link) to on-prem.
Cloud DNS	Managed DNS (public + private zones).
Shared VPC / Peering	Share one VPC across projects / connect two VPCs.

gcloud compute networks create vpc1 --subnet-mode custom
gcloud compute networks subnets create sn --network vpc1 --range 10.0.0.0/24 --region us-central1
gcloud compute firewall-rules create allow-ssh --network vpc1 --allow tcp:22 --source-ranges 35.235.240.0/20
gcloud compute routers create r --network vpc1 --region us-central1
gcloud compute routers nats create nat --router r --region us-central1 --auto-allocate-nat-external-ips --nat-all-subnet-ip-ranges

7. Infrastructure automation & CI/CD

• Terraform — the standard IaC; google provider; remote state in a GCS backend. (Deployment Manager is legacy — just be aware.)
• Cloud Build — managed CI/CD; cloudbuild.yaml steps build/test/deploy; triggers on repo push; runs as a service account.
• Artifact Registry — store container images + language packages (replaces Container Registry).
• Typical flow: push → Cloud Build builds image → push to Artifact Registry → deploy to Cloud Run/GKE.

gcloud builds submit --tag REGION-docker.pkg.dev/P/repo/img
gcloud artifacts repositories create repo --repository-format docker --location REGION
# Terraform: backend "gcs" { bucket = "tf-state"  prefix = "prod" }

8. Operations — monitoring & logging (study #8)

• Cloud Monitoring — metrics, dashboards, uptime checks, alerting policies (condition + notification channel). The Ops Agent collects VM metrics/logs.
• Cloud Logging — centralized logs; log sinks export to GCS/BigQuery/Pub/Sub; log-based metrics; retention buckets.
• Error Reporting — groups + surfaces application exceptions.
• Cloud Trace / Profiler — latency traces / CPU+heap profiling.
• Cloud Asset Inventory — inventory + change history of resources/IAM.

gcloud logging read 'severity>=ERROR' --limit 20 --freshness 1h
gcloud logging sinks create to-bq bigquery.googleapis.com/projects/P/datasets/logs --log-filter='resource.type="gce_instance"'
gcloud monitoring dashboards list

9. Security (study throughout)

• IAM least privilege + groups + custom roles (see §3).
• Org Policies — restrict regions, block external IP on VMs, enforce uniform bucket access, disable SA keys.
• Cloud Armor — WAF + DDoS protection in front of the global HTTP(S) LB (IP allow/deny, rules, rate limiting).
• Encryption: at rest by default (Google-managed); CMEK (your keys in Cloud KMS) for control; CSEK (you supply keys); in transit via TLS.
• Secret Manager — store/rotate secrets with IAM + versioning (don't put secrets in env/code/images).
• Audit Logs: Admin Activity (always on), Data Access (opt-in), System Event, Policy Denied. Access Transparency logs Google access.
• VPC Service Controls — perimeter to stop data exfiltration from managed services.

gcloud secrets create db-pass --replication-policy automatic
echo -n 's3cr3t' | gcloud secrets versions add db-pass --data-file=-
gcloud kms keyrings create kr --location us ; gcloud kms keys create k --keyring kr --location us --purpose encryption

10. Backup, recovery & troubleshooting

• Snapshots for persistent disks (incremental, can schedule); machine images for whole VMs.
• Cloud SQL automated backups + PITR; export to GCS; cross-region replicas for DR.
• GCS versioning + dual/multi-region buckets for durability; Object Lifecycle for retention.
• Troubleshooting: IAM denied → check effective roles + org policy + audit logs; VM unreachable → firewall rule/tag, external IP, routes (use the connectivity test / SSH-in-browser); app errors → Logging + Error Reporting.

11. gcloud / gsutil / bq essentials

gcloud init ; gcloud auth login ; gcloud auth application-default login
gcloud config set project P ; gcloud config set compute/region us-central1
gcloud config configurations list   # switch between projects/accounts
gcloud projects list ; gcloud services enable run.googleapis.com
gcloud compute instances list ; gcloud compute ssh vm1 --zone us-central1-a
gcloud container clusters get-credentials c1 --region us-central1   # then kubectl
gcloud iam service-accounts list ; gcloud projects get-iam-policy P
gsutil ls / cp / rsync / iam ch ; bq ls / query / mk

12. Exam-style Q&A

• Resource hierarchy & inheritance?Org → Folder → Project → Resource. IAM + org policies inherit downward. Project = billing/quota/API/isolation unit.
• Basic vs predefined vs custom roles?Basic (owner/editor/viewer) too broad — avoid in prod. Predefined = service-scoped least privilege. Custom = your exact permission set.
• How should a VM/pod authenticate to GCP services?Attached service account (GCE) or Workload Identity (GKE) — never a downloaded SA key. WIF for external/CI.
• Cloud Run vs GKE vs App Engine vs Functions?Cloud Run = stateless containers, scale to zero. GKE = full Kubernetes. App Engine = PaaS. Functions = event-driven snippets.
• MIG benefits?Autoscaling, autohealing (health checks recreate bad VMs), rolling updates, regional spread — from an instance template.
• VPC scope vs AWS?GCP VPC is global; subnets regional. Firewall rules at the VPC by tag/SA + priority.
• Cloud SQL vs Spanner vs Bigtable vs BigQuery?SQL = regional relational OLTP; Spanner = global relational at scale; Bigtable = wide-column high-throughput NoSQL; BigQuery = serverless analytics warehouse (OLAP, not app reads).
• Which storage class for archived data accessed yearly?Archive (cheapest storage, highest retrieval/min-duration). Nearline ~30d, Coldline ~90d, Standard hot.
• How do private VMs reach the internet?Cloud NAT (outbound only, no external IP). Inbound via a load balancer.
• How do you give private VMs access without public IPs to Google APIs?Private Google Access on the subnet (and Cloud NAT for general egress).
• Budgets vs quotas?Budgets alert on spend (don't cap). Quotas are hard limits on resource/API usage (request increases). Org policy restricts what's allowed at all.
• CMEK vs default encryption?Data is encrypted at rest by default (Google-managed keys). CMEK uses your Cloud KMS keys for control/rotation/audit; CSEK = you supply the key.
• How to protect a public app from DDoS/bad IPs?Cloud Armor (WAF + rate limiting + IP rules) on the global HTTP(S) load balancer.
• Where do secrets go?Secret Manager (IAM + versioning + rotation) — not env vars, code, or images.
• Which audit log is always on?Admin Activity. Data Access logs are opt-in (can be large). Access Transparency logs Google support access.
• How to export billing for analysis?Enable billing export to BigQuery; query + label for cost attribution.
• CI/CD on GCP?Cloud Build (triggers, cloudbuild.yaml) builds → Artifact Registry stores images → deploy to Cloud Run/GKE. Terraform for infra (state in GCS).
• VM unreachable — how to debug?Check firewall rule + target tag/SA, external IP / Cloud NAT, routes; use Connectivity Tests and SSH-in-browser; then VM serial console + logs.

13. Study priority order

1. IAM + Service Accounts
2. VPC networking
3. Compute Engine
4. Cloud Storage
5. GKE
6. Cloud Run
7. Cloud SQL
8. Monitoring & Logging
9. Load Balancers
10. Terraform + Cloud Build

Exam: 120 min, multiple-choice + multiple-select, ~6 months hands-on recommended. Lean on the "right service for the requirement" framing and least-privilege defaults.