PROFESSIONAL-CLOUD-DEVELOPER Question #121: Real Exam Question with Answer & Explanation

Question

You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?

Options

• AConfigure the appropriate service accounts, and use Workload Identity to run the pods.
• BStore the application credentials as Kubernetes Secrets, and expose them as environment
• CConfigure the appropriate routing rules, and use a VPC-native cluster to directly connect to the
• DStore the application credentials using Cloud Key Management Service, and retrieve them

Explanation

https://cloud.google.com/blog/products/containers-kubernetes/introducing-workload-identity- better-authentication-for-your-gke-applications A Cloud IAM service account is an identity that an application can use to make requests to Google APIs. As an application developer, you could generate individual IAM service accounts for each application, and then download and store the keys as a Kubernetes secret that you manually rotate. Not only is this process burdensome, but service account keys only expire every 10 years (or until you manually rotate them). In the case of a breach or compromise, an unaccounted-for key could mean prolonged access for an attacker. This potential blind spot, plus the management overhead of key inventory and rotation, makes using service account keys as secrets a less than ideal method for authenticating GKE workloads.

No community discussion yet for this question.