nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #247

Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?

The correct answer is D. Store the credential in Secret Manager. Create a Google service account (GSA) to read the. Google Secret Manager is the purpose-built, fully managed service for storing, accessing, and auditing secrets on Google Cloud. The recommended pattern for GKE is: store the secret in Secret Manager, create a Google Service Account (GSA) with Secret Manager access, bind it to a K

Implementing application security

Question

Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?

Options

  • ACreate a Kubernetes Secret, and pass the Secret as an environment variable to the container.
  • BEnable Application-layer Secret Encryption on the cluster using a Cloud Key Management
  • CStore the credential in Cloud KMS. Create a Google service account (GSA) to read the credential
  • DStore the credential in Secret Manager. Create a Google service account (GSA) to read the

How the community answered

(30 responses)
  • A
    3% (1)
  • B
    7% (2)
  • C
    13% (4)
  • D
    77% (23)

Explanation

Google Secret Manager is the purpose-built, fully managed service for storing, accessing, and auditing secrets on Google Cloud. The recommended pattern for GKE is: store the secret in Secret Manager, create a Google Service Account (GSA) with Secret Manager access, bind it to a Kubernetes Service Account via Workload Identity, and mount the secret in the pod. This avoids storing plaintext secrets in Kubernetes etcd. Option A (Kubernetes Secret as env var) is less secure - environment variables can be exposed in logs and process listings. Option B (Application-layer Encryption) encrypts secrets stored in etcd but does not manage secret lifecycle or rotation. Option C uses Cloud KMS, which is for cryptographic key management and data encryption, not secret storage.

Topics

#Secret Management#Kubernetes Engine#Application Security#Google Cloud IAM

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice