Google Cloud Professional Cloud DevOps Engineer — Question 33

Your application artifacts are being built and deployed via a CI/CD pipeline. You want the CI/CD pipeline to securely access application secrets. You also want to more easily rotate secrets in case of a security breach. What should you do?

Answer options

• A. Prompt developers for secrets at build time. Instruct developers to not store secrets at rest.
• B. Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file.
• C. Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.
• D. Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it.

Correct answer: C

Explanation

The correct answer is C because it utilizes Cloud Storage and Cloud KMS to securely manage and encrypt secrets, ensuring that the CI/CD pipeline can access them securely. Options A and B compromise security by relying on manual processes or exposing secrets to developers, while option D risks exposing the decryption key in the source code repository.