Google Cloud Professional Cloud Developer — Question 320

Your infrastructure team uses Terraform Cloud and manages Google Cloud resources by using Terraform configuration files. You want to configure an infrastructure as code pipeline that authenticates to Google Cloud APIs. You want to use the most secure approach and minimize changes to the configuration. How should you configure the authentication?

Answer options

• A. Use Terraform on GKE. Create a Kubernetes service account to execute the Terraform code. Use workload identity federation to authenticate as the Google service account.
• B. Install Terraform on a Compute Engine VM. Configure the VM by using a service account that has the required permissions to manage the Google Cloud resources.
• C. Configure Terraform Cloud to use workload identity federation to authenticate to the Google Cloud APIs.
• D. Create a service account that has the required permissions to manage the Google Cloud resources, and import the service account key to Terraform Cloud. Use this service account to authenticate to the Google Cloud APIs.

Correct answer: C

Explanation

The correct answer is C because configuring Terraform Cloud to utilize workload identity federation allows for secure authentication without the need for service account keys, reducing the risk of key exposure. Option A is incorrect since it involves using GKE and Kubernetes service accounts, which is not the most straightforward method for Terraform Cloud. Option B suggests using a Compute Engine VM, which complicates the setup and is less secure. Option D, while functional, involves handling service account keys, which is less secure than workload identity federation.