VAULT-ASSOCIATE-002 · Question #5
VAULT-ASSOCIATE-002 Question #5: Real Exam Question with Answer & Explanation
The correct answer is A: Google Cloud Secrets Engine. For provisioning GCP resources within a CI/CD pipeline, the Google Cloud Secrets Engine is the most appropriate choice as it dynamically generates short-lived GCP service account keys or OAuth tokens, enhancing security.
Question
Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?
Options
- AGoogle Cloud Secrets Engine
- BIdentity secrets engine
- CKey/Value secrets engine version 2
- DSSH secrets engine
Explanation
For provisioning GCP resources within a CI/CD pipeline, the Google Cloud Secrets Engine is the most appropriate choice as it dynamically generates short-lived GCP service account keys or OAuth tokens, enhancing security.
Common mistakes.
- B. The Identity secrets engine is for managing Vault's internal identity system and aliases, not for generating credentials for external cloud providers like GCP.
- C. While the Key/Value secrets engine (v2) can store static GCP credentials, it does not offer the dynamic, short-lived, and auto-rotation benefits that the dedicated Google Cloud Secrets Engine provides, which is crucial for CI/CD security.
- D. The SSH secrets engine is used for generating one-time SSH credentials or signing SSH keys, which is unrelated to provisioning VMs in GCP.
Concept tested. Vault secrets engines for cloud integration
Reference. https://www.vaultproject.io/docs/secrets/gcp
Topics
Community Discussion
No community discussion yet for this question.