Google ACE Cheat Sheet 2026 — All 5 Domains + gcloud Commands

Exam facts at a glance

• 50 questions, multiple choice + multiple select.
• 120 minutes. Average ~2 min 24 sec per question.
• $200 USD per attempt.
• Passing score not published; community estimates ~70%.
• Valid 3 years.
• Retake waits: 14 days → 60 days → 365 days.
• Online-proctored or test-centre delivery. Closed book.
• Full exam-format details: ACE Exam Guide 2026.

GCP resource hierarchy

One of the most-tested concepts on Domain 1:

Organization (1) └── Folders (many, nested up to 10 deep) └── Projects (many) └── Resources (VMs, buckets, clusters, etc.)

IAM inheritance is downward. A role granted at organisation level applies to every folder, project, and resource beneath. A role granted at project level applies to every resource in that project. Resource-level bindings are most specific.

Billing accounts are linked to projects, not to organisations. One billing account can pay for many projects. One project has exactly one billing account.

Compute decision tree (memorise this)

Given a scenario, pick the compute option in this order:

1. Scale-to-zero + HTTP-triggered + minimal ops → Cloud Run service.
2. Scale-to-zero + event-triggered + single function → Cloud Functions gen 2.
3. Container orchestration + low operational overhead → GKE Autopilot.
4. Container orchestration + needs DaemonSets / privileged / custom CNI → GKE Standard.
5. Web app / API with managed runtime + no infra ops → App Engine standard (or Cloud Run — Cloud Run is the modern default).
6. Full OS control / long-running / specialised hardware → Compute Engine.
7. Finite batch job, runs to completion → Cloud Run jobs or Batch.

See Compute Engine vs GKE vs Cloud Run for the detailed comparison.

GKE Autopilot vs Standard

Exam tell: “minimise operational overhead” or “team has no Kubernetes ops experience” → Autopilot. “Needs DaemonSets” or “privileged container” or “custom CNI” → Standard.

Cloud Run essentials

• Services: request/response model. Scales 0 to N. Has revisions and traffic splits.
• Jobs: finite batch work. Runs to completion, exits.
• Revisions: each deploy creates a new revision. Traffic splits between revisions (e.g., 90/10 canary).
• Min/max instances: control cold starts vs cost. min=0 means scale to zero.
• Concurrency: requests per container instance, default 80, max 1000.
• Public access: requires IAM binding allUsers → roles/run.invoker. Otherwise 403.
• VPC connector: for accessing private resources inside a VPC.

Cloud Storage classes

Lifecycle policies: transition objects between classes (e.g., Standard → Nearline after 30 days) or delete objects after N days. Signed URLs: time-limited HTTPS URLs that grant access without IAM. Use for sharing with non-Google users. IAM beats ACLs: modern Google practice is uniform bucket-level access (UBLA) with IAM only.

Cloud SQL essentials

• Engines: MySQL, PostgreSQL, SQL Server.
• HA (high availability): synchronous replica in a different zone in the same region. Automatic failover.
• Read replicas: asynchronous, offload read traffic. Up to 10 replicas. Different region allowed.
• Automated backups: daily, retained 7 days by default.
• Point-in-time recovery (PITR): restore to any second within retention period, using binary logs.
• Connection: via Cloud SQL Auth Proxy (recommended), private IP (VPC-native), or public IP + authorised networks.

VPC and firewall rules

• VPCs are global. Subnets are regional (one CIDR range per region).
• Auto-mode: GCP creates a subnet per region automatically. Custom-mode: you create each subnet.
• Firewall rules: priority (0-65535, lower=higher priority), direction (ingress/egress), action (allow/deny), source/target.
• Default rules: allow all egress, allow ingress for SSH/RDP/ICMP from anywhere on the default network. Custom-mode VPCs have no default firewall rules.
• Source targeting: by IP range (CIDR), network tag, or service account.
• Private Google Access: enable on a subnet so VMs without external IPs can reach Google APIs.
• Cloud NAT: outbound internet for private VMs (no external IPs).
• VPC Peering: connect two VPCs (no transitive peering). Shared VPC: one host project shares network with service projects.

See GCP Networking Fundamentals for the deep dive.

Load balancers — which when

IAM roles cheat sheet

Three role types:

• Primitive: Owner, Editor, Viewer. Avoid on the exam — too broad. Rarely the right answer.
• Predefined: roles/compute.instanceAdmin, roles/storage.objectViewer, etc. The expected answer for most scenarios.
• Custom: define your own permission set. Use when no predefined role fits.

Bind a role at four possible levels (most specific wins / unions):

Organization → Folder → Project → Resource

Common predefined roles to recognise:

• roles/viewer, roles/editor, roles/owner (primitive — avoid)
• roles/compute.instanceAdmin.v1, roles/compute.networkAdmin
• roles/container.admin, roles/container.developer (GKE)
• roles/storage.admin, roles/storage.objectViewer, roles/storage.objectCreator
• roles/iam.serviceAccountUser, roles/iam.serviceAccountTokenCreator
• roles/cloudsql.admin, roles/cloudsql.client, roles/cloudsql.instanceUser
• roles/run.admin, roles/run.invoker
• roles/logging.viewer, roles/monitoring.viewer

Full IAM concepts: GCP IAM Explained.

Service accounts and Workload Identity

The Google-recommended modern patterns (and what the exam expects):

• Attach SA directly to VMs and Cloud Run services. No JSON keys involved.
• Workload Identity for GKE: bind a Kubernetes SA to a Google SA. Pods get short-lived tokens.
• Service-account impersonation: short-lived access via --impersonate-service-account. Avoids long-lived JSON keys.
• Default service accounts: avoid using these for production workloads. Create user-managed SAs instead.
• JSON key files: almost always the wrong exam answer. If you see “download a service-account JSON key” in the options, suspect a trap.

Monitoring, logging, alerting

• Cloud Monitoring: metrics, dashboards, uptime checks, alert policies, notification channels.
• Cloud Logging: log buckets (default 30-day retention), log sinks (export to Pub/Sub, BigQuery, Cloud Storage), log-based metrics.
• Cloud Trace: distributed tracing for latency analysis.
• Cloud Profiler: CPU and heap profiling.
• Cloud Audit Logs: Admin Activity (always on, free), Data Access (opt-in, paid), System Event, Policy Denied.
• Alert policies: built on Cloud Monitoring metrics. Thresholds, duration windows, notification channels (email, SMS, Slack, PagerDuty, webhook).

30 must-know gcloud commands

Recognise the verb and the resource for each:

# Auth & config gcloud init gcloud auth login gcloud auth application-default login gcloud config set project PROJECT_ID gcloud config configurations create NAME gcloud projects list gcloud services enable SERVICE.googleapis.com # Compute Engine gcloud compute instances create NAME --machine-type=e2-medium --zone=us-central1-a gcloud compute instances list gcloud compute instances start/stop/delete NAME gcloud compute ssh NAME gcloud compute instance-templates create NAME ... gcloud compute instance-groups managed create NAME ... # GKE gcloud container clusters create NAME --region=us-central1 gcloud container clusters create NAME --autopilot --region=us-central1 gcloud container clusters get-credentials NAME --region=us-central1 gcloud container node-pools create NAME --cluster=CLUSTER ... # Cloud Run gcloud run deploy SERVICE --image=IMAGE --region=REGION gcloud run services list gcloud run services update-traffic SERVICE --to-revisions=REV1=90,REV2=10 # IAM gcloud iam service-accounts create NAME gcloud iam service-accounts keys create FILE --iam-account=SA_EMAIL  # avoid in production gcloud projects add-iam-policy-binding PROJECT --member=USER --role=ROLE gcloud projects remove-iam-policy-binding PROJECT --member=USER --role=ROLE # Cloud Storage gcloud storage buckets create gs://BUCKET --location=us-central1 gcloud storage cp FILE gs://BUCKET/ gcloud storage rm gs://BUCKET/FILE gsutil iam ch user:USER@example.com:objectViewer gs://BUCKET  # legacy syntax # Cloud SQL gcloud sql instances create NAME --database-version=POSTGRES_15 --tier=db-f1-micro --region=us-central1 gcloud sql instances list

You do not need to memorise every flag. Recognise the verb-resource pattern. If you see gcloud container clusters in an answer option, you should immediately know it is about GKE.

Top 5 trap-question patterns

1. GKE Autopilot vs Standard — Autopilot is the answer when ops overhead is the constraint and no node-level requirements exist.
2. Service-account JSON keys — almost always wrong. Use Workload Identity, impersonation, or direct SA attachment.
3. Primitive IAM roles (Owner/Editor/Viewer) — almost always wrong. Use predefined or custom roles.
4. Quota level confusion — VMs and CPU cores are regional quotas. “Autoscaler stopped at 20 VMs” → regional CPU quota.
5. OS Login vs metadata SSH keys — modern projects use OS Login (IAM-based). Revoke access via IAM, not metadata.

Detailed explanations in How to Pass Google ACE on the First Try.

Exam-day pocket guide

If you can only review one section in the final hour before exam, review this:

• 50 questions, 120 minutes, ~2 min per question average. Flag long ones, return at the end.
• “Choose two” or “Choose three” questions: read the stem twice.
• When two answers look right: pick the more managed / serverless / IAM-based / regional one.
• JSON service-account keys: almost always wrong.
• Primitive IAM roles: almost always wrong.
• Autopilot beats Standard unless node-level needs are explicit.
• Cloud Run beats GKE unless container orchestration features are explicit.
• Multi-select questions: partial credit does not exist. Pick the full set or you lose the point.
• If frozen on a question past 4 minutes: flag, move on, return at the end.

Frequently asked questions