PROFESSIONAL-CLOUD-DEVELOPER · Question #121
You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow secur
The correct answer is A. Configure the appropriate service accounts, and use Workload Identity to run the pods.. Workload Identity is the Google-recommended way for GKE workloads to authenticate to Google Cloud APIs. It works by linking a Kubernetes ServiceAccount to a Google Cloud service account via IAM binding, allowing pods to acquire short-lived credentials automatically without storin
Question
You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?
Options
- AConfigure the appropriate service accounts, and use Workload Identity to run the pods.
- BStore the application credentials as Kubernetes Secrets, and expose them as environment
- CConfigure the appropriate routing rules, and use a VPC-native cluster to directly connect to the
- DStore the application credentials using Cloud Key Management Service, and retrieve them
How the community answered
(26 responses)- A73% (19)
- B8% (2)
- C15% (4)
- D4% (1)
Explanation
Workload Identity is the Google-recommended way for GKE workloads to authenticate to Google Cloud APIs. It works by linking a Kubernetes ServiceAccount to a Google Cloud service account via IAM binding, allowing pods to acquire short-lived credentials automatically without storing any key files. This requires no code changes since the Google Cloud client libraries detect and use the credentials automatically. Option B (Kubernetes Secrets) still requires managing and distributing long-lived credential files, which is less secure. Option C (VPC-native routing) addresses network connectivity, not authentication. Option D (KMS) requires code changes to retrieve and decrypt credentials at runtime.
Topics
Community Discussion
No community discussion yet for this question.