PROFESSIONAL-CLOUD-DEVELOPER · Question #165
You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authenticati
The correct answer is B. Enable Workload Identity in the cluster via the gcloud command-line tool. E. Use gcloud to bind the Kubernetes service account and the Google service account using. Google's recommended approach for GKE workload authentication is Workload Identity. It eliminates the need to manage or distribute service account key files by allowing Kubernetes Service Accounts (KSA) to impersonate Google Service Accounts (GSA). Step B enables Workload Identit
Question
You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authentication of these services in the cluster following Google-recommended best practices? (Choose two.)
Options
- AUse the service account attached to the GKE node.
- BEnable Workload Identity in the cluster via the gcloud command-line tool.
- CAccess the Google service account keys from a secret management service.
- DStore the Google service account keys in a central secret management service.
- EUse gcloud to bind the Kubernetes service account and the Google service account using
How the community answered
(24 responses)- A4% (1)
- B79% (19)
- C4% (1)
- D13% (3)
Explanation
Google's recommended approach for GKE workload authentication is Workload Identity. It eliminates the need to manage or distribute service account key files by allowing Kubernetes Service Accounts (KSA) to impersonate Google Service Accounts (GSA). Step B enables Workload Identity on the cluster, and Step E performs the IAM binding that links a KSA to a GSA - both are required steps. Using the node's service account (A) violates least-privilege because all pods on that node share the same permissions. Storing service account keys in a secret manager (C/D) is better than hardcoding them, but it still requires key rotation and is explicitly less secure than Workload Identity per Google's best practices.
Topics
Community Discussion
No community discussion yet for this question.