nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #231

You are a developer at a large organization. You have an application written in Go running in a production Google Kubernetes Engine (GKE) cluster. You need to add a new feature that requires access to

The correct answer is D. Create a Google service account and a Kubernetes service account. Configure Workload Identity. Workload Identity is Google's recommended way to grant Google Cloud service permissions to workloads running in GKE. It links a Kubernetes service account to a Google service account, allowing pods to authenticate as the Google service account without needing to manage or distrib

Implementing security for applications

Question

You are a developer at a large organization. You have an application written in Go running in a production Google Kubernetes Engine (GKE) cluster. You need to add a new feature that requires access to BigQuery. You want to grant BigQuery access to your GKE cluster following Google-recommended best practices. What should you do?

Options

  • ACreate a Google service account with BigQuery access. Add the JSON key to Secret Manager,
  • BCreate a Google service account with BigQuery access. Add the Google service account JSON
  • CCreate a Google service account with BigQuery access. Add the Google service account JSON
  • DCreate a Google service account and a Kubernetes service account. Configure Workload Identity

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    11% (3)
  • C
    7% (2)
  • D
    79% (22)

Explanation

Workload Identity is Google's recommended way to grant Google Cloud service permissions to workloads running in GKE. It links a Kubernetes service account to a Google service account, allowing pods to authenticate as the Google service account without needing to manage or distribute JSON key files. Options A, B, and C all involve JSON key files, which are discouraged because keys can be leaked, rotated incorrectly, or stored insecurely. Workload Identity eliminates the need for long-lived credentials entirely, following the principle of least privilege and Google's best practices for secure GKE authentication.

Topics

#Workload Identity#GKE Security#IAM#Service Accounts

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice