Explanation:
The best approach is A because Workload Identity allows Kubernetes pods to securely authenticate as a Google service account. This method avoids storing credentials in the application code or environment variables, adhering to security best practices. Spanner access is granted via IAM roles assigned to the service account, minimizing code changes since the application uses Google Cloud client libraries' default credential lookup (which automatically leverages Workload Identity).
Ultimate access to all questions.
No comments yet.
You are developing a microservice-based application for deployment on Google Kubernetes Engine (GKE). The application requires read/write access to a Cloud Spanner database. Following security best practices while minimizing code changes, how should you configure your application to obtain Spanner credentials?
A
Configure the appropriate service accounts, and use Workload Identity to run the pods.
B
Store the application credentials as Kubernetes Secrets, and expose them as environment variables.
C
Configure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database.
D
Store the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.