Google Cloud Professional Cloud Security Engineer — Question 140

Your company recently published a security policy to minimize the usage of service account keys. On-premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.

What should you do?

Answer options

• A. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS). Configure a rule to let principals in the pool impersonate the Google Cloud service account.
• B. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS). Let all principals in the pool impersonate the Google Cloud service account.
• C. Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine. Configure a rule to let principals in the pool impersonate the Google Cloud service account.
• D. Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine. Let all principals in the pool impersonate the Google Cloud service account.

Correct answer: A

Explanation

The correct answer is A because it specifies the need to create a workload identity pool with ADFS and configure a rule for impersonation, which is a secure approach. Option B is incorrect because allowing all principals to impersonate the service account without restrictions can lead to security vulnerabilities. Options C and D are also incorrect as they involve using an OIDC service instead of ADFS, which would not align with the requirement to use the corporate ADFS.