Google Cloud Professional Cloud Developer — Question 172

You are a developer at a large organization. You have an application written in Go running in a production Google Kubernetes Engine (GKE) cluster. You need to add a new feature that requires access to BigQuery. You want to grant BigQuery access to your GKE cluster following Google-recommended best practices. What should you do?

Answer options

• A. Create a Google service account with BigQuery access. Add the JSON key to Secret Manager, and use the Go client library to access the JSON key.
• B. Create a Google service account with BigQuery access. Add the Google service account JSON key as a Kubernetes secret, and configure the application to use this secret.
• C. Create a Google service account with BigQuery access. Add the Google service account JSON key to Secret Manager, and use an init container to access the secret for the application to use.
• D. Create a Google service account and a Kubernetes service account. Configure Workload Identity on the GKE cluster, and reference the Kubernetes service account on the application Deployment.

Correct answer: D

Explanation

The correct answer is D because it follows the best practice of using Workload Identity, which allows the GKE cluster to automatically manage the association between the Google service account and the Kubernetes service account, ensuring secure access to BigQuery without managing JSON keys directly. The other options involve storing JSON keys, which is not recommended due to security concerns.