PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #127: Real Exam Question with Answer & Explanation

Question

You are building an application that runs on Cloud Run. The application needs to access a third- party API by using an API key. You need to determine a secure way to store and use the API key in your application by following Google-recommended practices. What should you do?

Options

• ASave the API key in Secret Manager as a secret. Reference the secret as an environment
• BSave the API key in Secret Manager as a secret key. Mount the secret key under the /sys/api_key
• CSave the API key in Cloud Key Management Service (Cloud KMS) as a key. Reference the key
• DEncrypt the API key by using Cloud Key Management Service (Cloud KMS), and pass the key to

Explanation

To securely manage an API key for a Cloud Run application, store it in Secret Manager and reference it as an environment variable.

Common mistakes.

• B. While Secret Manager is correct, mounting the secret under /sys/api_key (or any file path) is typically used for specific scenarios like Kubernetes secrets mounted as volumes, but environment variables are the more common and often simpler recommended approach for secrets in Cloud Run, and /sys is a system directory not for application secrets.
• C. Cloud Key Management Service (Cloud KMS) is primarily for managing cryptographic keys for encryption, not for storing arbitrary secrets like API keys directly for application consumption as environment variables.
• D. Encrypting the API key with Cloud KMS and passing the encrypted key requires the application to decrypt it, which adds complexity and means the decryption key itself needs to be managed securely, whereas Secret Manager handles direct injection more efficiently.

Concept tested. Secure Secret Management (Secret Manager, Cloud Run)

Reference. https://cloud.google.com/secret-manager/docs/access-secrets-cloud-run

No community discussion yet for this question.