nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #132

You are creating and running containers across different projects in Google Cloud. The application you are developing needs to access Google Cloud services from within Google Kubernetes Engine (GKE).

The correct answer is B. Use a Google service account to run the Pod with Workload Identity.. Workload Identity is Google's recommended approach for allowing GKE workloads to authenticate to Google Cloud APIs. It links a Kubernetes Service Account (KSA) to a Google Service Account (GSA), so pods running as that KSA automatically obtain short-lived credentials without any

Managing Application Identity and Access

Question

You are creating and running containers across different projects in Google Cloud. The application you are developing needs to access Google Cloud services from within Google Kubernetes Engine (GKE). What should you do?

Options

  • AAssign a Google service account to the GKE nodes.
  • BUse a Google service account to run the Pod with Workload Identity.
  • CStore the Google service account credentials as a Kubernetes Secret.
  • DUse a Google service account with GKE role-based access control (RBAC).

How the community answered

(41 responses)
  • A
    2% (1)
  • B
    83% (34)
  • C
    10% (4)
  • D
    5% (2)

Explanation

Workload Identity is Google's recommended approach for allowing GKE workloads to authenticate to Google Cloud APIs. It links a Kubernetes Service Account (KSA) to a Google Service Account (GSA), so pods running as that KSA automatically obtain short-lived credentials without any static key files. This eliminates the risk of long-lived credential leakage. Option A (assigning a GSA to nodes) grants every pod on those nodes the same permissions, violating the principle of least privilege. Option C (storing GSA key JSON as a Kubernetes Secret) creates long-lived, exportable credentials that are a security risk and harder to rotate. Option D conflates Kubernetes RBAC (which controls Kubernetes API access) with Google Cloud IAM (which controls Google Cloud resource access); they are separate systems and RBAC alone cannot authorize access to Cloud services.

Topics

#GKE#Workload Identity#Service Accounts#Access Management

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice