Answer-first summary for fast verification
Answer: Create multiple service accounts, one for each pipeline with the appropriate minimal Identity and Access Management (IAM) permissions. Use a secret manager service to store the key files of the service accounts. Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.
Option D is the correct answer. This approach follows security best practices by adhering to the principle of least privilege, where each service account is granted only the permissions necessary for its specific role in the CI/CD pipeline. Creating multiple service accounts for different aspects of the pipeline ensures better granularity and security in managing permissions. Additionally, using a secret manager service to store the key files of the service accounts enhances security by safely managing and accessing these keys. This method also allows the CI/CD pipeline to request the appropriate secrets during execution, ensuring credentials are only provided when needed and are not unnecessarily exposed.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your company is in the process of transitioning its continuous integration and delivery (CI/CD) pipeline to Google Compute Engine instances. This CI/CD pipeline is essential for automating and managing your entire cloud infrastructure through Infrastructure as Code (IaC) practices. To ensure smooth operation, it's crucial that the pipeline has the necessary permissions to interact with the cloud infrastructure. How can you configure these permissions to adhere to security best practices, ensuring both functionality and security are optimally maintained?
A
Attach a single service account to the compute instances. Add minimal rights to the service account. Allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources.
B
Add a step for human approval to the CI/CD pipeline before the execution of the infrastructure provisioning. Use the human approvals IAM account for the provisioning.
C
Attach a single service account to the compute instances. Add all required Identity and Access Management (IAM) permissions to this service account to create, update, or delete resources.
D
Create multiple service accounts, one for each pipeline with the appropriate minimal Identity and Access Management (IAM) permissions. Use a secret manager service to store the key files of the service accounts. Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.