You manage an App Engine Service that aggregates and visualizes data from BigQuery. The application is deployed with the default App Engine Service account. The data that needs to be visualized resides in a different project managed by another team. You do not have access to this project, but you want your application to be able to read data from the BigQuery dataset. What should you do?

1. A. Ask the other team to grant your default App Engine Service account the role of BigQuery Job User.
2. B. Ask the other team to grant your default App Engine Service account the role of BigQuery Data Viewer.
3. C. In Cloud IAM of your project, ensure that the default App Engine service account has the role of BigQuery Data Viewer.
4. D. In Cloud IAM of your project, grant a newly created service account from the other team the role of BigQuery Job User in your project.

Correct Answer: B
The resource that you need to get access is in the other project. roles/bigquery.dataViewer BigQuery Data Viewer
When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view.
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google-recommended practices. Which IAM roles should you grant your colleagues?

1. A. Project Editor
2. B. Storage Admin
3. C. Storage Object Admin
4. D. Storage Object Creator

Correct Answer: B
Storage Admin (roles/storage.admin) Grants full control of buckets and objects.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
firebase.projects.get resourcemanager.projects.get
resourcemanager.projects.list storage.buckets.* storage.objects.*
https://cloud.google.com/storage/docs/access-control/iam-roles
This role grants full control of buckets and objects. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
Ref: https://cloud.google.com/iam/docs/understanding-roles#storage-roles

You are building a new version of an application hosted in an App Engine environment. You want to test the new version with 1% of users before you completely switch your application over to the new version. What should you do?

1. A. Deploy a new version of your application in Google Kubernetes Engine instead of App Engine and then use GCP Console to split traffic.
2. B. Deploy a new version of your application in a Compute Engine instance instead of App Engine and then use GCP Console to split traffic.
3. C. Deploy a new version as a separate app in App Engin
4. D. Then configure App Engine using GCP Console to split traffic between the two apps.
5. E. Deploy a new version of your application in App Engin
6. F. Then go to App Engine settings in GCP Console and split traffic between the current version and newly deployed versions accordingly.

Correct Answer: D
GCP App Engine natively offers traffic splitting functionality between versions. You can use traffic splitting to specify a percentage distribution of traffic across two or more of the versions within a service. Splitting traffic allows you to conduct A/B testing between your versions and provides control over the pace when rolling out features.
Ref: https://cloud.google.com/appengine/docs/standard/python/splitting-traffic

You have one project called proj-sa where you manage all your service accounts. You want to be able to use a service account from this project to take snapshots of VMs running in another project called proj-vm. What should you do?

1. A. Download the private key from the service account, and add it to each VMs custom metadata.
2. B. Download the private key from the service account, and add the private key to each VM’s SSH keys.
3. C. Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.
4. D. When creating the VMs, set the service account’s API scope for Compute Engine to read/write.

Correct Answer: C
https://gtseres.medium.com/using-service-accounts-across-projects-in-gcp-cf9473fef8f0
You create the service account in proj-sa and take note of the service account email, then you go to proj-vm in IAM > ADD and add the service account's email as new member and give it the Compute Storage Admin role.
https://cloud.google.com/compute/docs/access/iam#compute.storageAdmin

Your organization has strict requirements to control access to Google Cloud projects. You need to enable your Site Reliability Engineers (SREs) to approve requests from the Google Cloud support team when an SRE opens a support case. You want to follow Google-recommended practices. What should you do?

1. A. Add your SREs to roles/iam.roleAdmin role.
2. B. Add your SREs to roles/accessapproval approver role.
3. C. Add your SREs to a group and then add this group to roles/iam roleAdmin role.
4. D. Add your SREs to a group and then add this group to roles/accessapproval approver role.

Correct Answer: D