PROFESSIONAL-CLOUD-DEVELOPER Question #208: Real Exam Question with Answer & Explanation

Question

You have an application deployed in Google Kubernetes Engine (GKE). You need to update the application to make authorized requests to Google Cloud managed services. You want this to be a one-time setup, and you need to follow security best practices of auto-rotating your security keys and storing them in an encrypted store. You already created a service account with appropriate access to the Google Cloud service. What should you do next?

Options

• AAssign the Google Cloud service account to your GKE Pod using Workload Identity.
• BExport the Google Cloud service account, and share it with the Pod as a Kubernetes Secret.
• CExport the Google Cloud service account, and embed it in the source code of the application.
• DExport the Google Cloud service account, and upload it to HashiCorp Vault to generate a

Explanation

https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity Applications running on GKE might need access to Google Cloud APIs such as Compute Engine API, BigQuery Storage API, or Machine Learning APIs. Workload Identity allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs. Using Workload Identity allows you to assign distinct, fine-grained identities and authorization for each application in your cluster.

No community discussion yet for this question.