nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #17

Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. You want to distribute these credentials to

The correct answer is B. Use the instance's service account Application Default Credentials to authenticate to the required. Application Default Credentials (ADC) with the instance's attached service account is the most secure approach because there are no credential files to distribute, store, or rotate - the credentials are managed automatically by the Compute Engine metadata server and are scoped to

Develop secure applications

Question

Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. You want to distribute these credentials to the host instances as securely as possible. What should you do?

Options

  • AUse HTTP signed URLs to securely provide access to the required resources.
  • BUse the instance's service account Application Default Credentials to authenticate to the required
  • CGenerate a P12 file from the GCP Console after the instance is deployed, and copy the
  • DCommit the credential JSON file into your application's source repository, and have your CI/CD

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    86% (25)
  • C
    7% (2)
  • D
    3% (1)

Explanation

Application Default Credentials (ADC) with the instance's attached service account is the most secure approach because there are no credential files to distribute, store, or rotate - the credentials are managed automatically by the Compute Engine metadata server and are scoped to the instance. Client libraries transparently use ADC without any credential file. Option A (signed URLs) is for temporary object-level access, not general authentication. Option C (copying P12 files) introduces a distribution and storage security risk. Option D (committing credentials to source code) is a critical security vulnerability and a well-known anti-pattern.

Topics

#Service Accounts#Application Default Credentials#Compute Engine#Security Best Practices

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice