Google Cloud Professional Cloud Developer — Question 249

Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?

Answer options

• A. Create a Kubernetes Secret, and pass the Secret as an environment variable to the container.
• B. Enable Application-layer Secret Encryption on the cluster using a Cloud Key Management Service (KMS) key.
• C. Store the credential in Cloud KMS. Create a Google service account (GSA) to read the credential from Cloud KMS. Export the GSA as a .json file, and pass the .json file to the container as a volume which can read the credential from Cloud KMS.
• D. Store the credential in Secret Manager. Create a Google service account (GSA) to read the credential from Secret Manager. Create a Kubernetes service account (KSA) to run the container. Use Workload Identity to configure your KSA to act as a GSA.

Correct answer: D

Explanation

Option D is correct because it utilizes Secret Manager, which is specifically designed for managing and accessing secrets securely, along with Workload Identity for seamless authentication. Option A does not provide the same level of security as it exposes the secret as an environment variable. Option B enables encryption but doesn't address secret management directly. Option C complicates the process unnecessarily by relying on Cloud KMS and requires additional steps to export and manage the service account credentials.