Notes from my Google’s Associate Cloud Engineer Exam — Part #2

I recently passed Google’s Associate Cloud Engineer exam and had shared my experience as well as the crucial topics and resources required to ace the exam in the below blog post. If you had missed that out, here’s the link to it.

How I aced Google’s Associate Cloud Engineer Exam in two months

Take a look at it before you proceed further on to read the notes which I had jotted down during my test preparation. I’m planning to write it as a series of articles so that it doesn’t appear overwhelming and take longer to digest! Also, here’s the link to Part-1 which was about Compute and App engine.

I hope this is useful for future test-takers in their cloud journey to know about the wonders of Google Cloud Platform.

It’s important to note that even though the service limits are subject to a change in the future, the core concepts always remain the same. It’s equally important to go through the CLI commands for the below topics as mentioning them here would be exhaustive. So, without any further adieu, let’s get started!

Storage options

Essential topics — Various Storage choices; use cases, Cloud storage — “gsutil” and importing & exporting data using GUI + CLI.

• Cloud SQL — Terabyte relational storage; ideal to be used with transactional or tabular data such as user-sessions or item orders. Cloud SQL is regional.
• Cloud Spanner — Pertabyte relational storage; Global consistency assured when users are all over the world and when high I/O is required.
• Datastore — Terabyte non-relational key: value storage; ideal for semi-structured data, App Engine apps and offline sync with mobile apps.
• BigTable — Pertabyte non-relational storage; ideal for low-latency and heavy R/Ws, suitable to store IoT, Adtech and Financial data.
• Cloud Storage — Blob storage; ideal for structured/unstructured binary objects/data such as images, backups and large-media files.
• Bigquery — Datawarehouse storage; ideal for interactive querying and analytics; basically an OLAP (Online Analytical Processing) database.

GCP offers Memorystore, a managed Redis service widely used as an open-source cache. Also, Memcached is another service. The instance can be configured with 1–300GB memory. It assures high-availability, in which Memorystore creates failover replicas.

Cloud Firestore is designed for storing, synchronizing and querying data across distributed apps, like mobile apps. Apps can be updated offline, close to real-time, when data is changed on the back-end. It also supports transactions and provides multi-regional replication.

Cloud SQL scales vertically (adding more CPUs/memory as per load) whereas Big Table runs in clusters and scales horizontally (adding clusters as per load).

When I wrote the exam, two-three questions were centered around Big query concepts. Also, don’t forget to check out the pricing calculator for the above-mentioned storage options! Give special attention to Big query.

While using Cloud SQL, binary logging enabled point-in-time recovery. To ensure high-availability, create failover replicas in the same region but in different zones.

Cloud Transfer Service is used for transferring massive amounts of data (petabytes). It’s pretty expensive. Multithreaded uploads using the -m option may be a great alternative for full bandwidth utilization.

Best Practice — Use secure defaults while using GCS. Do not provide object-level access to data.

GCS console doesn’t deal with lifecycle configuration files. gsutil deals only with JSON files.

Signed URLs are used for ensuring time-limited access to objects in GCS. It essentially doesn’t guarantee security as the URLs can be leaked and hence users with the signed URL can access objects stored in GCS.

IAM (Identity and Access Management)

Essential topics — Core services IAM roles, Granting IAM roles within & across projects, Principle of Least Privilege & Instances’ access scopes.

• A single cloud Identity is associated with at most one organization. Cloud Identities have super admins who assign organization admin IAM role. Org admin roles can get and list projects but not shut them down.
• By default, when an organization resource is created, Project Creator & Billing Account Creator roles are assigned to users in G-Suite/Cloud Identity domain.

Only one policy can be attached to a resource and maximum 1500 member binding per policy. If you’re close to using 1500 member bindings, you’re assigning IAM roles in a wrong way! Use groups to allocate similar roles instead.

• A scope is defined using a URL that starts with https://www.googleapis.com/auth/ and is then followed by permission on the resource. You can’t attach a scope when creating a service account.

Example — A scope allowing a VM to insert data in Big query can be as follows — https://www.googleapis.com/auth/bigquery.insertdata

• To grant a service account access to another project, navigate to the IAM page of the project and specify the service account’s e-mail as the entity to add.

Best Practices

1. While granting IAM roles, never grant more permissions than necessary — Principle of Least Privilege.
2. Always use groups (except for very small teams) to grant IAM roles.
3. Never use primitive roles. Always use pre-defined roles. If an operation requires a role that isn’t available with pre-defined roles, use custom roles.

Check out the pre-defined roles for core GCP services here. It’s enough to go through the core roles as going through all the roles is obviously exhaustive!

• When setting support levels for permissions in custom roles, you can set to one of Supported, Testing & Not Supported.

Special Mentions

1. Project Billing Manager — link/unlink project to/from a billing account. Granted at org/project-level.
2. Billing Account Creator — use this role for initial billing setup or to allow the creation of additional billing accounts.
3. Shared VPC Admin — create host projects and attach one or more service projects.
4. iam.roleViewer — read access to all custom roles in a project.
5. compute.storageAdmin — create, modify & delete disks, images & snapshots.
6. Compute Engine & Big query roles.

Thanks for reading till the end of the post! I love sharing information in the hope that it would help people out there. I also write about productivity and life. If you liked my writing, just hit the follow button on Medium to recieve more such updates. Connect with me on LinkedIn, Facebook or Twitter for any guidance or discussion on technology or help.

Thanks again for reading and have a wonderful day!