nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #354

You are deploying a microservices application to GKE. One microservice needs to download files from a Cloud Storage bucket. You have an IAM service account with the Storage Object Viewer role on the p

The correct answer is D. Create a Kubernetes service account. Use an IAM policy to bind the IAM service account to a. The Google-recommended practice for GKE workloads accessing Google Cloud services is Workload Identity. This binds a Kubernetes service account (KSA) to a Google IAM service account (GSA) via an IAM policy, allowing pods running under that KSA to automatically impersonate the GSA

Managing application access and identity

Question

You are deploying a microservices application to GKE. One microservice needs to download files from a Cloud Storage bucket. You have an IAM service account with the Storage Object Viewer role on the project with the bucket. You need to configure your application to access the Cloud Storage bucket while following Google-recommended practices. What should you do?

Options

  • AAssign the IAM service account to the cluster's node pool. Configure the application to
  • BAssign the IAM service account to the cluster's node pool. Encrypt the IAM service account key
  • CCreate a Kubernetes service account. Create a Kubernetes secret with a base64-encoded IAM
  • DCreate a Kubernetes service account. Use an IAM policy to bind the IAM service account to a

How the community answered

(24 responses)
  • A
    17% (4)
  • B
    8% (2)
  • C
    4% (1)
  • D
    71% (17)

Explanation

The Google-recommended practice for GKE workloads accessing Google Cloud services is Workload Identity. This binds a Kubernetes service account (KSA) to a Google IAM service account (GSA) via an IAM policy, allowing pods running under that KSA to automatically impersonate the GSA without any service account keys. This eliminates the need to store or rotate credentials. Options A and B assign the IAM SA to the node pool, meaning all pods on those nodes share the same permissions-violating least privilege. Option C stores a base64-encoded SA key in a Kubernetes Secret, which is a security risk because secrets can be exfiltrated and the key must be manually rotated. Workload Identity is keyless and scoped per workload.

Topics

#GKE Security#Workload Identity#IAM#Cloud Storage Integration

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice