nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #344

Your infrastructure team uses Terraform Cloud and manages Google Cloud resources by using Terraform configuration files. You want to configure an infrastructure as code pipeline that authenticates to

The correct answer is C. Configure Terraform Cloud to use Workload Identity Federation to authenticate to the Google. Workload Identity Federation (WIF) allows Terraform Cloud to authenticate to Google Cloud APIs using its own OIDC identity token, eliminating the need for long-lived service account keys. This is the most secure approach because no credentials are stored or rotated, and it requir

Implementing and Managing Cloud Infrastructure

Question

Your infrastructure team uses Terraform Cloud and manages Google Cloud resources by using Terraform configuration files. You want to configure an infrastructure as code pipeline that authenticates to Google Cloud APIs. You want to use the most secure approach and minimize changes to the configuration. How should you configure the authentication?

Options

  • AUse Terraform on GKE. Create a Kubernetes service account to execute the Terraform code. Use
  • BInstall Terraform on a Compute Engine VM. Configure the VM by using a service account that has
  • CConfigure Terraform Cloud to use Workload Identity Federation to authenticate to the Google
  • DCreate a service account that has the required permissions to manage the Google Cloud

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    9% (3)
  • C
    86% (30)
  • D
    3% (1)

Explanation

Workload Identity Federation (WIF) allows Terraform Cloud to authenticate to Google Cloud APIs using its own OIDC identity token, eliminating the need for long-lived service account keys. This is the most secure approach because no credentials are stored or rotated, and it requires minimal configuration changes - just setting up the WIF provider and attribute mappings in Google Cloud. Option D (service account key files) requires downloading and distributing sensitive key files, which creates security risks. Option B (Compute Engine VM with attached service account) requires migrating away from Terraform Cloud to a self-managed VM, which contradicts the 'minimize changes' requirement. Option A (Terraform on GKE) similarly requires abandoning Terraform Cloud for a self-managed Kubernetes setup.

Topics

#Workload Identity Federation#Terraform Cloud#Google Cloud IAM#Infrastructure as Code

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice