Question 3 - Google Associate Cloud Engineer Real Exam Questions [March 2026 Update]

Q: 3

You want to configure an SSH connection to a single Compute Engine instance for users in the dev1 group. This instance is the only resource in this particular Google Cloud Platform project that the dev1 users should be able to connect to. What should you do?

Options

Discussion

Morgan G. Feb 24, 2026 6:21 pm

A , that's the pattern shown in the official documentation and practice tests, especially for scoped SSH via IAM.

Parker C. Feb 14, 2026 6:25 am

D, not A

Quinn Z. Feb 16, 2026 10:30 am

Option D looks good to me since blocking project-wide keys and sharing one key with the dev1 group gets access limited to just that instance. Pretty sure that's valid unless central IAM control is strictly needed. Not 100% though.

PracticalLearner6122 Feb 27, 2026 7:46 pm

Makes sense to pick A here.

Arjun C. Feb 21, 2026 11:43 am

Yeah, A is right here. OS Login with compute.osLogin role keeps things centralized and lets you control access just for that instance through IAM. It's pretty much the recommended way for this use case, unless I missed something.

PreciseArchitect5828 Feb 20, 2026 5:23 pm

C/D? I think D is pretty close since blocking project-wide keys and sharing one instance key keeps the access scoped to just that VM. Lots of people get tripped up by OS Login vs manual SSH key setup. Anyone agree?

Taylor B. Mar 5, 2026 5:56 pm

A , saw this setup in official guide and some Google sample tests too.

Skyler Feb 15, 2026 2:31 pm

Probably A since official docs and practice exams both highlight OS Login plus compute.osLogin role for tight access control. I'd check the Google guide section on IAM roles if you're not sure here. Anyone see it another way?

Rowan U. Feb 16, 2026 1:21 am

A tbh

Morgan M. Feb 19, 2026 2:16 pm

A. Seen similar in practice dumps-official doc also points toward OS Login and per-instance IAM for this scenario. Worth reviewing the permissions section in the Google study guide if unsure.

Be respectful. No spam.

Correct Answer:

Explanation

The most secure, scalable, and manageable method to grant SSH access to a specific group of users for a single instance is by using OS Login. OS Login links a user's Google identity with their VM's POSIX account and manages access through IAM roles.

By setting the instance metadata enable-oslogin=true, you activate this feature for that specific instance. Granting the roles/compute.osLogin IAM role to the dev1 group provides the necessary permissions for its members to establish an SSH connection to any instance with OS Login enabled, without granting them broader administrative privileges. This combination precisely meets the requirement of providing scoped access to the specified group.

Why Incorrect

B. This option is incomplete. While it correctly enables OS Login, it fails to grant the necessary IAM role (compute.osLogin) to the dev1 group, so the users would have no permission to connect.

C. This method is insecure and unscalable. It requires manually generating, distributing, and managing individual SSH keys for each user, which is prone to error and becomes a significant administrative burden as the group changes.

D. Sharing a single private SSH key among multiple users is a severe security anti-pattern. It eliminates individual accountability and makes key revocation and rotation extremely difficult if the key is compromised.

References

1. Google Cloud Documentation - About OS Login: "OS Login lets you use Compute Engine IAM roles to grant and revoke SSH access to your Linux instances... OS Login is the recommended way to manage many users across multiple instances or projects." This document also specifies that you enable OS Login by setting the enable-oslogin metadata value to TRUE.

Source: Google Cloud Documentation

"About OS Login".

2. Google Cloud Documentation - Set up OS Login: "After you enable OS Login on one or more instances in your project

you need to grant the necessary IAM roles to users." It lists roles/compute.osLogin as the role required to connect to instances.

Source: Google Cloud Documentation

"Set up OS Login"

Step 2: Grant necessary IAM roles.

3. Google Cloud Documentation - Compute Engine predefined IAM roles: The compute.osLogin role is described as providing "permissions to log in to Compute Engine instances using OS Login. This role does not grant administrator access." This confirms it as the appropriate least-privilege role.

Source: Google Cloud Documentation

"Compute Engine IAM roles"

Predefined roles table.

4. Google Cloud Documentation - Managing SSH keys in metadata: This document describes the manual method of managing keys and contrasts it with OS Login. It explains that blocking project-wide keys is a way to restrict access

but it still relies on manually adding instance-level keys

which is less manageable than OS Login.

Source: Google Cloud Documentation

"Managing SSH keys in metadata"

section "Instance-level public SSH keys".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE