Cloud Developer Practice Exam 2025: Latest Questions

You are deploying a stateless REST API to Cloud Run. During traffic spikes, some requests fail with timeouts because instances take too long to start. You need to reduce cold-start impact while keeping costs reasonable. What should you do?

A Cloud Run service must call a Google Cloud API (for example, Secret Manager) and you want to follow least privilege. What is the recommended approach?

Your team wants to run unit tests and build a container image for every pull request. They also want a single, managed CI service on Google Cloud with minimal operational overhead. Which service should you use?

You need to blue/green deploy a new version of a Cloud Run service and gradually shift traffic while monitoring error rates. What should you do?

Your microservice writes events to Pub/Sub. A downstream Cloud Run subscriber processes messages and writes to Firestore. You notice duplicate writes in Firestore when the service occasionally retries. How should you design the subscriber to handle this?

A backend service running on Cloud Run intermittently fails when calling a third-party API due to transient network errors. You want to improve reliability and avoid overwhelming the third-party API during outages. What should you implement?

You need a secure way for a Cloud Run service to call an internal HTTP endpoint hosted on another Cloud Run service. The endpoint must not be publicly accessible, and you want to use IAM-based authentication. What should you do?

A team wants to validate that a newly built container image is free of known high-severity vulnerabilities before deploying to production. They are using Artifact Registry and Cloud Build. What is the best approach?

A data processing pipeline uses Pub/Sub to trigger Cloud Run jobs that write to Cloud SQL. During peak load, Cloud SQL becomes overloaded and starts rejecting connections. You need to protect Cloud SQL while keeping the system scalable. What should you do?

Your application runs on GKE and uses Workload Identity. Pods need to access a Cloud Storage bucket. Requests fail with "403 Forbidden" even though you granted the Google service account (GSA) the required Storage IAM role. What is the most likely missing step?

You are developing a stateless API on Cloud Run. During a deploy, some requests fail with 503 errors for a brief period. You want to eliminate downtime during releases without adding significant operational overhead. What should you do?

Your Cloud Run service fails to start and logs show: "Permission denied to access secret" when trying to read a value from Secret Manager. The secret exists in the same project. What is the most likely fix?

You need to store a structured collection of user profiles for a mobile app. The app requires low-latency reads, automatic scaling, and a document-oriented model. Which storage option is the best fit?

A Cloud Run service processes messages from Pub/Sub. Occasionally, a message causes a transient downstream failure and must be retried. You notice some messages are processed more than once. You need to guarantee correct behavior without relying on exactly-once delivery. What should you implement?

Your team uses Cloud Build to run unit tests and container builds. You want to prevent merges to the main branch unless Cloud Build tests pass, and you want results visible directly in the pull request. What is the best approach?

A service running on GKE needs to call a Google Cloud API (e.g., Pub/Sub) without storing service account keys. What is the recommended solution?

Your Cloud Run service writes logs using a JSON structure that includes fields like "requestId" and "tenantId". You want to efficiently filter and build metrics/alerts based on these fields in Cloud Logging and Cloud Monitoring. What should you do?

You are deploying a new microservice that must call an internal HTTP service hosted on a private GKE cluster (no public endpoint). The microservice runs on Cloud Run. You need private connectivity without exposing the GKE service publicly. What should you do?

Your Cloud Build pipeline deploys to Cloud Run using a service account. The deployment step fails with an error indicating the runtime service account cannot pull the container image from Artifact Registry. You want the minimal permissions needed to fix this. What should you do?

A multi-step workflow (charge credit card, reserve inventory, create shipment) is implemented with Pub/Sub and Cloud Run services. When a downstream step fails, you need to coordinate compensating actions (e.g., refund payment) and provide an auditable state machine for each order. Which approach is most appropriate?

You deploy a stateless API to Cloud Run behind an HTTPS load balancer. Users report intermittent 401 errors only during traffic spikes. Logs show some requests missing the expected Authorization header when they reach the service. What is the most likely cause and best fix?

A Cloud Run service processes Pub/Sub push messages. During an incident, you discover a large number of duplicate messages were processed, causing double-charging. The service returns 500 for transient downstream errors and performs a non-idempotent charge operation before the downstream call completes. What is the best approach to prevent double-charging while maintaining reliability?

You need to run integration tests for a Cloud Run service in Cloud Build. The tests must call a private Cloud SQL instance and access a secret from Secret Manager. You want least privilege and no long-lived credentials in the pipeline. What should you do?

Your team wants to safely roll out a new container image to a Cloud Run service with the ability to quickly revert if error rates increase. What deployment strategy should you use?

A microservice in GKE needs to call the Cloud Storage JSON API. Security requires eliminating service account keys and restricting access to only this workload. What is the recommended approach?