Google Cloud Professional Cloud Security Engineer — Question 314

You are running code in Google Kubernetes Engine (GKE) containers in Google Cloud that require access to objects stored in a Cloud Storage bucket. You need to securely grant the Pods access to the bucket while minimizing management overhead. What should you do?

Answer options

• A. Create a service account. Grant bucket access to the Pods by using Workload Identity Federation for GKE.
• B. Create a service account with keys. Store the keys in Secret Manager with a 30-day rotation schedule. Reference the keys in the Pods.
• C. Create a service account with keys. Store the keys as a Kubernetes secret. Reference the keys in the Pods.
• D. Create a service account with keys. Store the keys in Secret Manager. Reference the keys in the Pods.

Correct answer: A

Explanation

The correct answer is A because using Workload Identity Federation allows you to grant Pods access to Google Cloud resources without managing service account keys, which simplifies security and management. Options B, C, and D involve creating and managing service account keys, which increases the risk of key exposure and adds unnecessary complexity to the setup.