Passing the Google Cloud Developer exam

This is the 3rd time I passed the cloud developer exam. Over time, the exam has become more difficult and included more new products and services. The latest additions include Cloud Run, Cloud Function, Cloud Firestore; I believe App Engine, Cloud IoT are deleted.

1. Google cloud storage 4xx error with the wrong encryption key at https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#rest-apis
2. How to create a folder in GCS with storage API: https://stackoverflow.com/questions/38416598/how-to-create-an-empty-folder-on-google-storage-with-google-api by using a trailing ‘/’ to create the file object.
3. Your company has multiple development teams working in a namespace in GKE. You want to on board more development teams and create multiple namespaces for dev,test,prod environments. What’s the recommendation? 1 choice is using GKE RBAC to control team’s permissions in each namespace. But that does not create multiple environments by namespace. I chose the answer of using GKE resource quota by namespace.
4. Understand the process of configuring KMS for GKE application layer encryption for use cases like rotating keys and re-encryption. The question was about storing database connection passwords used by GKE deployments. I did not see a choice to use secret manager but storing the passwords in configMaps, environment variables, container images, or source code was wrong.
5. Understand how to use cloud function’s pub/sub trigger to process event for use cases where no cost is imposed without events received. The question was about choosing the right architecture for processing incoming messages. Selecting compute engine and managed instance groups was wrong. There was a selection for HTTP based cloud functions but I did not choose that. I remember it did not fit the use case but I forgot exactly how.
6. Cloud Trace, profiler use cases: you need to understand the difference between the 2. Profiler shows the CPU time of the methods executed, the heap, and other types of memory used. Trace shows the latency of calling the microservice. It did not go deeper into which method or section of code is causing high latency. I did not see questions about using Trace Start_Span but that could measure the time spent executing the code in the span.
7. Microservices are deployed to GKE clusters and Prometheus has been configured to collect metrics. The microservice was reporting error in Cloud Logging. The Prometheus metrics showed abnormal metrics during an incident. How can you correlate the logs in cloud logging with the Prometheus metrics? Configure Cloud logging to generate log based metrics. Configure Prometheus to export metrics to Cloud Monitoring. Create a custom chart in Cloud Monitoring to correlate monitoring metrics and the log based metrics. Other answers were not that sophisticated.
8. An existing cloud run service writes logs to Cloud logging. There is a new requirements for security to audit the logs in a different project. What’s the best method? Create a Logs router sink for exporting logs to another project’s storage bucket. Also learn the sink destinations.
9. Binary Authorization to create attestation notes in a cloud build step to show the container image has no vulnerabilities with on demand scanning. Configure Binary Authorization policy to allow only attested images to be deployed. The question had a scenario of ensuring no container images built on Cloud Build with vulnerability can be deployed in a CD pipeline later. How do you implement it in the CI pipeline? One option was to send the container built to a 3rd party scanning software deploy on compute engine. I don’t believe that was right as it did not address the attestation part. There was another option that enabled vulnerability scanning but did not create attestation or configure Binary Authorization policy.
10. Learn how to configure and use GKE workload identity as it appeared 4 times in the exam. Most common use case is for GKE workloads or pods to call Google cloud services such as BigQuery or storage. Storing the service account key in Kubernetes secret or container image was the wrong answer. I vaguely remember 1 of the questions was about accessing secrets in secret manager using GKE Workload Identity.
11. The security requirement for a Cloud run service to consume a Cloud SQL instance is to use private IP. What’s the solution to configure the Cloud SQL to enable it? Implement a serverless VPC access connector in the same region as the Cloud SQL and Cloud Run. Cloud SQL Auth proxy is the wrong answer as it does not create new connection route.
12. An existing solution using environment variables in Cloud Run services to call Cloud Functions is becoming harder to scale. Updating environment variables creates new Cloud Run services even if no code is changed. What’s the solution? Create a service directory namespace for cloud run services to use. Query the service directory namespace’s service endpoints.
13. With roles/iam.serviceAccountTokenCreator, how can a user act as a service account to create infrastructure resources in Terraform? I regret choosing the answer of setting GOOGLE_APPLICATION_CREDENTIALS environment variable to the service account’s key. The correct answer should be gcloud config set auth/impersonate_service_account=.
14. Best option to serve static contents globally: choose global http load balancing with multi-regional buckets and enable CDN. Regional buckets or putting files in compute engine disks was wrong.
15. GKE best method to call deployed microservices by DNS? Kubernetes Service discovery is correct. Configuring Cloud DNS A records or use hosts file was wrong.
16. Most efficient method to enable and enforce encryption between pods and services in GKE for compliance reasons: Enable Istio mTLS with side car injection on pods. The question and answer did not require deep knowledge of how to configure it at the namespace level but it may appear in future exams.
17. how to enable A,B testing by changing existing frontend web applications on compute engine to try 2 sets of design colors and layouts with least code change? Implement HTTP load balancing with 2 backends. Putting some flags in the code was wrong.
18. Best practice to enable CI,CD deployed to cloud run from cloud source repo? Enable cloud build triggers to automatically trigger builds with git code push. Creating pub/sub topic, cron jobs, or cloud scheduler were cumbersome and wrong.
19. Ideal managed database solution to allow a retailer’s customers to query orders immediately after submission with any combination of fields in the query? Cloud SQL is better than Firestore because you can’t query composite fields in a compound query in Firestore without creating a composite index.
20. An E-commerce application is using Firestore for its product catalog. A cloud run service reads the catalog and returns product details to the users is throwing out of memory exceptions. The Firestore’s logs show spike read queries during the time of the exceptions. What’s the solution to both problems? First, you need to understand what’s causing both problems. If you are reading a retailer’s product catalog with limited filter, you’d experience high latency in the microservice, high load in the database, and high memory in both. Firestore supports cursor in a query. There was a wrong answer to use some sort of integer offset which wasn’t a feature in Firestore. Other wrong answers were fixing the cloud run service’s problem by changing the machine type to more memory and throttling reading from the database.
21. What’s the best data model design for Firestore to store user’s posts in a blog? Root collection contains users of type Document. A user document contains a collection for posts of type Document. Don’t put the posts in a list or array as they can only contain primitive types such as string or number.
22. When GKE deployments of microservices can’t terminate database connections gracefully during the development cycles, what’s the solution to address such problem? The problem is that if database connections are not closed properly, it fills the database connection pool with dead connections. Study the blog to understand different methods. If you have access to change the code, catching the SIGTERM in the container and closing the database connection are best. Otherwise, given 3rd party code, you can add lifecycle.preStop in pod’s yaml; the problem is that the bash command may have a hard time identifying the active connections and close them without knowing what the source code is doing. I think that was wrong.
23. There are some simpler questions such as choosing between zonal or regional GKE clusters to avoid zonal outage.
24. Learn how to use OAuth 2.0 to Access Google APIs for server-side web apps. The question was about building a Java, Go, or Python based application in Google Cloud to call Google API on behalf of users. I can’t remember which API was it about. Maybe Storage or Bigquery. Be familiar with access token, Authorization code, and Scope. Visit the 3 links to be familiar. I’ve built OAuth web app samples for Python3 and Java for references.

Link to the prior exam’s study guide in 2021.