Google Cloud Professional Cloud DevOps Engineer — Question 178

You are running a web application that connects to an AlloyDB cluster by using a private IP address in your default VPC. You need to run a database schema migration in your CI/CD pipeline by using Cloud Build before deploying a new version of your application. You want to follow Google-recommended security practices. What should you do?

Answer options

• A. Set up a Cloud Build private pool to access the database through a static external IP address. Configure the database to only allow connections from this IP address. Execute the schema migration script in the private pool.
• B. Create a service account that has permission to access the database. Configure Cloud Build to use this service account and execute the schema migration script in a private pool.
• C. Add the database username and password to Secret Manager. When running the schema migration script, retrieve the username and password from Secret Manager.
• D. Add the database username and encrypted password to the application configuration file. Use these credentials in Cloud Build to execute the schema migration script.

Correct answer: B

Explanation

The correct answer is B because using a service account with the appropriate permissions is a secure way to manage access to the database during the migration process. Option A is incorrect as it introduces unnecessary complexity with external IPs, while C and D do not follow best security practices for managing sensitive credentials, as they either expose them or rely on less secure methods.