PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #85: Real Exam Question with Answer & Explanation

Question

Your company uses Jenkins running on Google Cloud VM instances for CI/CD. You need to extend the functionality to use infrastructure as code automation by using Terraform. You must ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. You want to follow Google-recommended practices. What should you do?

Options

• AConfirm that the Jenkins VM instance has an attached service account with the appropriate
• BUse the Terraform module so that Secret Manager can retrieve credentials.
• CCreate a dedicated service account for the Terraform instance. Download and copy the secret
• DAdd the gcloud auth application-default login command as a step in Jenkins before running the

Explanation

To authorize a Jenkins instance on a Google Cloud VM to create resources with Terraform, create a dedicated service account with specific permissions, and use its key file for authentication.

Common mistakes.

• A. Relying solely on the Jenkins VM's attached service account might mean the VM has broader permissions than required by Terraform, or insufficient permissions, failing to adhere to least privilege.
• B. Using a Terraform module for Secret Manager to retrieve credentials is a good practice for storing credentials, but the question is about authorizing the Jenkins instance to use credentials to create resources, which requires the initial credential setup, not just retrieval.
• D. The gcloud auth application-default login command is typically for user authentication, not suitable for automated service account authentication in CI/CD pipelines, and does not follow Google's recommended practices for service accounts.

Concept tested. Service account authentication for CI/CD

Reference. https://cloud.google.com/iam/docs/creating-managing-service-accounts#using_service_account_keys

No community discussion yet for this question.