Google Cloud Professional Cloud Security Engineer — Question 194

Your organization is migrating its primary web application from on-premises to Google Kubernetes Engine (GKE). You must advise the development team on how to grant their applications access to Google Cloud services from within GKE according to security recommended practices. What should you advise the development team to do?

Answer options

• A. Configure the GKE nodes to use the default Compute Engine service account.
• B. Enable Workload Identity for GKE. Assign a Kubernetes service account to the application and configure that Kubernetes service account to act as an Identity and Access Management (IAM) service account. Grant the required roles to the IAM service account.
• C. Create a user-managed service account with only the roles required for the specific workload. Assign this service account to the GKE nodes.
• D. Create an application-specific IAM service account and generate a user-managed service account key for it. Inject the key to the workload by storing it as a Kubernetes secret within the same namespace as the application.

Correct answer: B

Explanation

The correct answer is B because enabling Workload Identity allows applications running in GKE to securely access Google Cloud services using IAM roles without needing to manage service account keys. Option A is incorrect as using the default Compute Engine service account can lead to excessive permissions. Option C is less secure because it assigns roles to the GKE nodes instead of the application itself. Option D involves key management, which is not recommended due to security risks.