PROFESSIONAL-CLOUD-DEVELOPER · Question #208
You have an application deployed in Google Kubernetes Engine (GKE). You need to update the application to make authorized requests to Google Cloud managed services. You want this to be a one-time setu
The correct answer is A. Assign the Google Cloud service account to your GKE Pod using Workload Identity.. Workload Identity is the Google-recommended way to authenticate GKE workloads to Google Cloud services. It binds a Kubernetes Service Account to a Google Cloud Service Account, allowing pods to automatically obtain short-lived, auto-rotating credentials managed entirely by Google
Question
You have an application deployed in Google Kubernetes Engine (GKE). You need to update the application to make authorized requests to Google Cloud managed services. You want this to be a one-time setup, and you need to follow security best practices of auto-rotating your security keys and storing them in an encrypted store. You already created a service account with appropriate access to the Google Cloud service. What should you do next?
Options
- AAssign the Google Cloud service account to your GKE Pod using Workload Identity.
- BExport the Google Cloud service account, and share it with the Pod as a Kubernetes Secret.
- CExport the Google Cloud service account, and embed it in the source code of the application.
- DExport the Google Cloud service account, and upload it to HashiCorp Vault to generate a
How the community answered
(29 responses)- A72% (21)
- B17% (5)
- C7% (2)
- D3% (1)
Explanation
Workload Identity is the Google-recommended way to authenticate GKE workloads to Google Cloud services. It binds a Kubernetes Service Account to a Google Cloud Service Account, allowing pods to automatically obtain short-lived, auto-rotating credentials managed entirely by Google's secure infrastructure - no key files to export, store, or rotate manually. Options B and D both require exporting a long-lived service account key, which contradicts the requirement for auto-rotation and introduces key management risk. Option C (embedding credentials in source code) is a critical security anti-pattern and is never acceptable.
Topics
Community Discussion
No community discussion yet for this question.