ASSOCIATE-CLOUD-ENGINEER · Question #359
ASSOCIATE-CLOUD-ENGINEER Question #359: Real Exam Question with Answer & Explanation
The correct answer is D: Create the GKE cluster with Workload Identity Federation. Create a Google service account and. Creating the GKE cluster with Workload Identity Federation and configuring a Kubernetes ServiceAccount to use Workload Identity Federation is the recommended approach. This method avoids the use of service account keys while allowing the application Pods to authenticate to Google
Question
You are deploying an application to Google Kubernetes Engine (GKE). The application needs to make API calls to a private Cloud Storage bucket. You need to configure your application Pods to authenticate to the Cloud Storage API, but your organization policy prevents the usage of service account keys. You want to follow Google-recommended practices. What should you do?
Options
- ACreate the GKE cluster and deploy the application. Request a security exception to create a
- BCreate the GKE cluster and deploy the application. Request a security exception to create a
- CCreate the GKE cluster with Workload Identity Federation. Configure the default node service
- DCreate the GKE cluster with Workload Identity Federation. Create a Google service account and
Explanation
Creating the GKE cluster with Workload Identity Federation and configuring a Kubernetes ServiceAccount to use Workload Identity Federation is the recommended approach. This method avoids the use of service account keys while allowing the application Pods to authenticate to Google Cloud services securely. The Kubernetes ServiceAccount is mapped to a Google service account with the necessary IAM roles to access the Cloud Storage bucket, adhering to Google- recommended practices.
Community Discussion
No community discussion yet for this question.