PROFESSIONAL-CLOUD-DEVELOPER · Question #17
Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. You want to distribute these credentials to
The correct answer is B. Use the instance's service account Application Default Credentials to authenticate to the required. Application Default Credentials (ADC) with the instance's attached service account is the most secure approach because there are no credential files to distribute, store, or rotate - the credentials are managed automatically by the Compute Engine metadata server and are scoped to
Question
Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. You want to distribute these credentials to the host instances as securely as possible. What should you do?
Options
- AUse HTTP signed URLs to securely provide access to the required resources.
- BUse the instance's service account Application Default Credentials to authenticate to the required
- CGenerate a P12 file from the GCP Console after the instance is deployed, and copy the
- DCommit the credential JSON file into your application's source repository, and have your CI/CD
How the community answered
(29 responses)- A3% (1)
- B86% (25)
- C7% (2)
- D3% (1)
Explanation
Application Default Credentials (ADC) with the instance's attached service account is the most secure approach because there are no credential files to distribute, store, or rotate - the credentials are managed automatically by the Compute Engine metadata server and are scoped to the instance. Client libraries transparently use ADC without any credential file. Option A (signed URLs) is for temporary object-level access, not general authentication. Option C (copying P12 files) introduces a distribution and storage security risk. Option D (committing credentials to source code) is a critical security vulnerability and a well-known anti-pattern.
Topics
Community Discussion
No community discussion yet for this question.