PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #159: Real Exam Question with Answer & Explanation

Question

Your application artifacts are being built and deployed via a CI/CD pipeline. You want the CI/CD pipeline to securely access application secrets. You also want to more easily rotate secrets in case of a security breach. What should you do?

Options

• APrompt developers for secrets at build time. Instruct developers to not store secrets at rest.
• BStore secrets in a separate configuration file on Git. Provide select developers with access to the
• CStore secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline
• DEncrypt the secrets and store them in the source code repository. Store a decryption key in a

Explanation

To securely manage application secrets for a CI/CD pipeline, storing them in Cloud Storage encrypted with Cloud KMS and granting the pipeline service account access is the recommended approach for both security and easy rotation.

Common mistakes.

• A. Prompting developers for secrets at build time is manual, prone to human error, does not scale, and does not address the need for easy rotation or automated access for the CI/CD pipeline.
• B. Storing secrets in plain text or even encrypted in a configuration file within Git is a significant security risk, as the repository history retains the secrets and access control is less granular than dedicated secret management solutions.
• D. Encrypting secrets in the source code repository and storing a decryption key separately is complex to manage, and the encrypted secrets are still part of the repository history, which is not ideal for robust secret management and rotation compared to a dedicated secret management solution like KMS.

Concept tested. Secure secret management in CI/CD pipelines

Reference. https://cloud.google.com/architecture/security-best-practices-ci-cd#secrets

No community discussion yet for this question.