GCP ACE Cheat Sheet 2026
Everything you need on one page before exam day: the five Associate Cloud Engineer sections, a gcloud CLI quick reference, the compute and storage decision tables, IAM and the resource hierarchy, and the traps that catch first-timers.
01 Exam sections overview
The Associate Cloud Engineer exam is organised into five sections. Google does not publish percentage weights for them, so treat all five as fair game and lean on the ones you have least hands-on time with.
1. Setting up a cloud solution environment
Create and manage projects, set up billing, install and configure the Cloud SDK / gcloud CLI.
2. Planning and configuring a cloud solution
Plan compute, storage and network resources; use the pricing calculator; choose the right products for a workload.
3. Deploying and implementing a cloud solution
Deploy on Compute Engine, GKE, Cloud Run, App Engine and Cloud Functions; deploy data and networking resources.
4. Ensuring successful operation of a cloud solution
Manage running resources, monitoring and logging (Cloud Monitoring & Logging), and resource health.
5. Configuring access and security
Manage IAM roles and service accounts, view audit logs, and apply least-privilege access.
02 gcloud / CLI quick reference
You will not be asked to write code, but you must recognise the right command for a task. These are the verbs that show up most. Run them from your machine after gcloud init, or skip the install entirely and use Cloud Shell — an in-browser terminal with the SDK pre-installed.
Config & auth
gcloud auth login · gcloud config set project
Authenticate, then pin the active project: gcloud config set project <PROJECT_ID>. Use gcloud auth for credentials.
Projects
gcloud projects list / create / add-iam-policy-binding
gcloud projects manages projects and their IAM policy bindings — the root of almost every setup task.
Compute Engine
gcloud compute instances create / list
Create a VM: gcloud compute instances create <NAME> --zone=<ZONE>. Manage disks, images and firewall rules here too.
GKE
gcloud container clusters create / get-credentials
Create a cluster, then gcloud container clusters get-credentials <NAME> wires up kubectl.
Cloud Storage
gsutil mb · gsutil cp
gsutil mb gs://<BUCKET> makes a bucket; gsutil cp copies objects in and out.
BigQuery
bq mk · bq query
The bq tool runs queries and manages datasets/tables in BigQuery from the shell.
IAM
gcloud iam service-accounts / roles
gcloud iam creates service accounts and inspects roles; bind them to resources with add-iam-policy-binding.
Cloud Shell
browser terminal · SDK pre-installed
No local install needed — Cloud Shell gives you gcloud, gsutil, bq and kubectl with 5 GB of persistent home storage.
03 Compute options — when to use each
| If the scenario says… | Choose | Why |
|---|---|---|
| Full control of the OS / VMs / lift-and-shift | Compute Engine | Infrastructure-as-a-service VMs; pick machine type, image and disks yourself. |
| Run and orchestrate containers at scale | GKE | Managed Kubernetes for microservices needing fine-grained control over pods and nodes. |
| Stateless containers, scale to zero, pay per request | Cloud Run | Fully managed serverless containers — no cluster to run, scales down to zero. |
| Managed web apps without managing servers | App Engine | Standard = sandboxed, scales to zero fast; Flexible = Docker containers on managed VMs. |
| Single-purpose event-driven function | Cloud Functions | Tiny snippets triggered by events (Pub/Sub, Storage, HTTP); the lightest serverless option. |
04 Storage & databases
Storage — objects, blocks and files
| Need | Service | Key fact |
|---|---|---|
| Object storage, web-scale | Cloud Storage | Classes by access frequency: Standard (hot) → Nearline (~30 days) → Coldline (~90 days) → Archive (~365 days, cheapest). |
| Block volume for a VM | Persistent Disk | Durable block storage attached to Compute Engine; standard (HDD) or SSD. |
| Shared filesystem (NFS) for many VMs | Filestore | Managed NFS file shares for workloads that need a POSIX filesystem. |
Databases — pick by data shape and scale
| If you need… | Choose | Why |
|---|---|---|
| Managed relational (MySQL/PostgreSQL/SQL Server) | Cloud SQL | Regional managed RDBMS for traditional apps. |
| Relational + global scale + strong consistency | Cloud Spanner | Horizontally scalable relational DB with global consistency (pricier). |
| Document / mobile & web app data | Firestore | Serverless NoSQL document database with real-time sync. |
| Massive wide-column NoSQL, high throughput | Bigtable | Low-latency wide-column store for time-series and IoT at scale. |
| Analytics / data warehouse / SQL on big data | BigQuery | Serverless columnar warehouse for OLAP and BI queries. |
| In-memory cache (Redis/Memcached) | Memorystore | Managed Redis/Memcached to cut read load and add sub-ms cache. |
05 Networking essentials
VPC
A VPC is global; its subnets are regional. One network can span every region without VPNs between them.
Firewall rules
Stateful allow/deny rules attached to the VPC, applied to instances by network tag or service account.
Cloud Load Balancing
Global (HTTP(S), L7) for web traffic across regions; regional (Network LB, L4 TCP/UDP) for protocol-level balancing.
Cloud DNS
Managed, scalable authoritative DNS for public and private zones.
Cloud NAT
Lets instances without external IPs reach the internet outbound — the way private VMs get updates.
Interconnect & VPN
Cloud VPN tunnels over the public internet; Cloud Interconnect is a dedicated private link to on-prem.
Shared VPC vs Peering
Shared VPC = one host project shares subnets with service projects (central control). VPC Peering = two networks exchange routes without a gateway.
06 IAM & resource hierarchy
IAM answers a single question on every resource: who (member) can do what (role) on which resource. Policies set high in the hierarchy are inherited downward.
Resource hierarchy (top → bottom)
- Organization → Folder → Project → Resources. An IAM policy applied at a higher level is inherited by everything beneath it.
- Project is the core unit of billing, quotas and resource grouping — almost everything lives inside a project.
| Role type | Examples | Use for |
|---|---|---|
| Basic | Owner, Editor, Viewer | Broad legacy roles — convenient but too coarse for production. |
| Predefined | roles/compute.admin, roles/storage.objectViewer | Curated per-service roles — the recommended default for least privilege. |
| Custom | Your own bundle of permissions | When no predefined role fits and you need a precise permission set. |
Service accounts
- Service accounts are non-human identities for apps and VMs. Grant a service account a role and attach it to a workload instead of using personal credentials.
- Principle of least privilege: grant the narrowest role that gets the job done, at the lowest level of the hierarchy.
07 Operations & billing must-knows
- Cloud Monitoring & Logging (formerly Stackdriver): metrics, dashboards, alerting policies and centralised logs — your first stop for "is it healthy / what happened".
- Budgets & alerts: set a budget on a billing account and get notified at threshold percentages; a budget alert does not stop spending by itself.
- Discount models: Sustained-use discounts apply automatically the longer a VM runs in a month; Committed-use discounts need a 1- or 3-year commitment for a bigger cut; Preemptible / Spot VMs are deeply discounted but can be reclaimed at any time.
- Labels: key-value tags on resources for cost tracking, filtering and exporting billing by team or environment.
- Quotas: per-project, per-region limits (e.g. CPUs, IP addresses); request increases through the Console when a deployment hits a cap.
08 Common traps
09 FAQ
What is the GCP ACE passing score?
Google does not publish an official passing score for the Associate Cloud Engineer exam, and your result is reported simply as pass or fail. Community guidance puts the practical bar at roughly 70%, so aim for a consistent 80%+ on full-length practice tests before booking.
Is the Associate Cloud Engineer exam hard?
It is a fair associate-level exam, but it is hands-on flavoured: most questions are scenario based and expect you to know which gcloud command or Console action solves the problem. Candidates who have actually deployed VMs, GKE clusters, and IAM bindings find it manageable; pure memorisation struggles.
How long is the GCP ACE certification valid?
The Associate Cloud Engineer certification is valid for three years from the date you pass. To stay certified you re-take the exam (or its current version) before it expires.
Do I need coding experience for GCP ACE?
No heavy programming is required. You should be comfortable in a Linux shell and reading the gcloud and gsutil command syntax, but the exam does not ask you to write application code. Familiarity with the CLI and the Console matters far more than coding skill.
