PROFESSIONAL-CLOUD-DEVELOPER · Question #231
You are a developer at a large organization. You have an application written in Go running in a production Google Kubernetes Engine (GKE) cluster. You need to add a new feature that requires access to
The correct answer is D. Create a Google service account and a Kubernetes service account. Configure Workload Identity. Workload Identity is Google's recommended way to grant Google Cloud service permissions to workloads running in GKE. It links a Kubernetes service account to a Google service account, allowing pods to authenticate as the Google service account without needing to manage or distrib
Question
You are a developer at a large organization. You have an application written in Go running in a production Google Kubernetes Engine (GKE) cluster. You need to add a new feature that requires access to BigQuery. You want to grant BigQuery access to your GKE cluster following Google-recommended best practices. What should you do?
Options
- ACreate a Google service account with BigQuery access. Add the JSON key to Secret Manager,
- BCreate a Google service account with BigQuery access. Add the Google service account JSON
- CCreate a Google service account with BigQuery access. Add the Google service account JSON
- DCreate a Google service account and a Kubernetes service account. Configure Workload Identity
How the community answered
(28 responses)- A4% (1)
- B11% (3)
- C7% (2)
- D79% (22)
Explanation
Workload Identity is Google's recommended way to grant Google Cloud service permissions to workloads running in GKE. It links a Kubernetes service account to a Google service account, allowing pods to authenticate as the Google service account without needing to manage or distribute JSON key files. Options A, B, and C all involve JSON key files, which are discouraged because keys can be leaked, rotated incorrectly, or stored insecurely. Workload Identity eliminates the need for long-lived credentials entirely, following the principle of least privilege and Google's best practices for secure GKE authentication.
Topics
Community Discussion
No community discussion yet for this question.