PROFESSIONAL-CLOUD-DEVELOPER · Question #247
Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?
The correct answer is D. Store the credential in Secret Manager. Create a Google service account (GSA) to read the. Google Secret Manager is the purpose-built, fully managed service for storing, accessing, and auditing secrets on Google Cloud. The recommended pattern for GKE is: store the secret in Secret Manager, create a Google Service Account (GSA) with Secret Manager access, bind it to a K
Question
Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?
Options
- ACreate a Kubernetes Secret, and pass the Secret as an environment variable to the container.
- BEnable Application-layer Secret Encryption on the cluster using a Cloud Key Management
- CStore the credential in Cloud KMS. Create a Google service account (GSA) to read the credential
- DStore the credential in Secret Manager. Create a Google service account (GSA) to read the
How the community answered
(30 responses)- A3% (1)
- B7% (2)
- C13% (4)
- D77% (23)
Explanation
Google Secret Manager is the purpose-built, fully managed service for storing, accessing, and auditing secrets on Google Cloud. The recommended pattern for GKE is: store the secret in Secret Manager, create a Google Service Account (GSA) with Secret Manager access, bind it to a Kubernetes Service Account via Workload Identity, and mount the secret in the pod. This avoids storing plaintext secrets in Kubernetes etcd. Option A (Kubernetes Secret as env var) is less secure - environment variables can be exposed in logs and process listings. Option B (Application-layer Encryption) encrypts secrets stored in etcd but does not manage secret lifecycle or rotation. Option C uses Cloud KMS, which is for cryptographic key management and data encryption, not secret storage.
Topics
Community Discussion
No community discussion yet for this question.