nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #121

You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow secur

The correct answer is A. Configure the appropriate service accounts, and use Workload Identity to run the pods.. Workload Identity is the Google-recommended way for GKE workloads to authenticate to Google Cloud APIs. It works by linking a Kubernetes ServiceAccount to a Google Cloud service account via IAM binding, allowing pods to acquire short-lived credentials automatically without storin

Developing secure applications

Question

You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?

Options

  • AConfigure the appropriate service accounts, and use Workload Identity to run the pods.
  • BStore the application credentials as Kubernetes Secrets, and expose them as environment
  • CConfigure the appropriate routing rules, and use a VPC-native cluster to directly connect to the
  • DStore the application credentials using Cloud Key Management Service, and retrieve them

How the community answered

(26 responses)
  • A
    73% (19)
  • B
    8% (2)
  • C
    15% (4)
  • D
    4% (1)

Explanation

Workload Identity is the Google-recommended way for GKE workloads to authenticate to Google Cloud APIs. It works by linking a Kubernetes ServiceAccount to a Google Cloud service account via IAM binding, allowing pods to acquire short-lived credentials automatically without storing any key files. This requires no code changes since the Google Cloud client libraries detect and use the credentials automatically. Option B (Kubernetes Secrets) still requires managing and distributing long-lived credential files, which is less secure. Option C (VPC-native routing) addresses network connectivity, not authentication. Option D (KMS) requires code changes to retrieve and decrypt credentials at runtime.

Topics

#Workload Identity#Google Kubernetes Engine (GKE)#IAM#Security Best Practices

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice