Google Cloud Professional Cloud Developer — Question 218

You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authentication of these services in the cluster following Google-recommended best practices? (Choose two.)

Answer options

• A. Use the service account attached to the GKE node.
• B. Enable Workload Identity in the cluster via the gcloud command-line tool.
• C. Access the Google service account keys from a secret management service.
• D. Store the Google service account keys in a central secret management service.
• E. Use gcloud to bind the Kubernetes service account and the Google service account using roles/iam.workloadIdentity.

Correct answer: B, E

Explanation

The correct answers are B and E because enabling Workload Identity allows Kubernetes service accounts to automatically authenticate with Google Cloud APIs using the associated Google service accounts, which is a best practice for managing permissions. Options A, C, and D are not recommended as they involve using service account keys directly, which can pose security risks.