Google Cloud Professional Cloud Developer — Question 327

You are deploying a microservices application to GKE. One microservice needs to download files from a Cloud Storage bucket. You have an IAM service account with the Storage Object Viewer role on the project with the bucket. You need to configure your application to access the Cloud Storage bucket while following Google-recommended practices. What should you do?

Answer options

• A. Assign the IAM service account to the cluster’s node pool. Configure the application to authenticate to the bucket by using Application Default Credentials.
• B. Assign the IAM service account to the cluster’s node pool. Encrypt the IAM service account key file by using a symmetric block cipher, and store the encrypted file on a persistent volume. Store the encryption key in Secret Manager.
• C. Create a Kubernetes service account. Create a Kubernetes secret with a base64-encoded IAM service account key file. Annotate the Kubernetes secret with the Kubernetes service account. Assign the Kubernetes ServiceAccount to the Pods that need to access the bucket.
• D. Create a Kubernetes service account. Use an IAM policy to bind the IAM service account to a Kubernetes service account. Annotate the Kubernetes ServiceAccount object with the name of the bound IAM service account. Assign the Kubernetes ServiceAccount to the Pods that need to access the bucket.

Correct answer: D

Explanation

The correct answer is D because it uses a Kubernetes service account with IAM policy binding, which aligns with Google’s best practices for managing access to resources. Option A does not involve a Kubernetes service account, and options B and C involve managing IAM service account keys, which is not recommended due to security concerns.