Google Cloud Professional Cloud DevOps Engineer — Question 105

You are creating a CI/CD pipeline to perform Terraform deployments of Google Cloud resources. Your CI/CD tooling is running in Google Kubernetes Engine (GKE) and uses an ephemeral Pod for each pipeline run. You must ensure that the pipelines that run in the Pods have the appropriate Identity and Access Management (IAM) permissions to perform the Terraform deployments. You want to follow Google-recommended practices for identity management. What should you do? (Choose two.)

Answer options

• A. Create a new Kubernetes service account, and assign the service account to the Pods. Use Workload Identity to authenticate as the Google service account.
• B. Create a new JSON service account key for the Google service account, store the key as a Kubernetes secret, inject the key into the Pods, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
• C. Create a new Google service account, and assign the appropriate IAM permissions.
• D. Create a new JSON service account key for the Google service account, store the key in the secret management store for the CI/CD tool, and configure Terraform to use this key for authentication.
• E. Assign the appropriate IAM permissions to the Google service account associated with the Compute Engine VM instances that run the Pods.

Correct answer: A, C

Explanation

Option A is correct because it involves creating a Kubernetes service account and using Workload Identity, which aligns with Google’s best practices for managing identities. Option C is also correct as it ensures the Google service account has the necessary IAM permissions. Options B, D, and E are not recommended; they involve handling service account keys, which can lead to security issues and do not follow the best practices of using Workload Identity.