Google Cloud Professional Cloud Developer — Question 192

You have an application deployed in Google Kubernetes Engine (GKE). You need to update the application to make authorized requests to Google Cloud managed services. You want this to be a one-time setup, and you need to follow security best practices of auto-rotating your security keys and storing them in an encrypted store. You already created a service account with appropriate access to the Google Cloud service. What should you do next?

Answer options

• A. Assign the Google Cloud service account to your GKE Pod using Workload Identity.
• B. Export the Google Cloud service account, and share it with the Pod as a Kubernetes Secret.
• C. Export the Google Cloud service account, and embed it in the source code of the application.
• D. Export the Google Cloud service account, and upload it to HashiCorp Vault to generate a dynamic service account for your application.

Correct answer: A

Explanation

The correct answer is A because using Workload Identity allows you to associate the Google Cloud service account with your GKE Pod securely without managing keys. Options B and C are less secure since they involve sharing or embedding the service account, which can lead to key management issues. Option D, while secure, introduces unnecessary complexity for this scenario as Workload Identity provides the required functionality directly.