Answer-first summary for fast verification
Answer: Configure the appropriate service accounts, and use Workload Identity to run the pods.
The best approach is **A** because Workload Identity allows Kubernetes pods to securely authenticate as a Google service account. This method avoids storing credentials in the application code or environment variables, adhering to security best practices. Spanner access is granted via IAM roles assigned to the service account, minimizing code changes since the application uses Google Cloud client libraries' default credential lookup (which automatically leverages Workload Identity). - **B** is insecure because Kubernetes Secrets are base64-encoded (not encrypted) and exposing them as environment variables risks accidental exposure. - **C** addresses network routing but does not solve authentication/credential management for Spanner. - **D** introduces unnecessary complexity by requiring manual credential retrieval via KMS, increasing code changes and runtime overhead.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are developing a microservice-based application for deployment on Google Kubernetes Engine (GKE). The application requires read/write access to a Cloud Spanner database. Following security best practices while minimizing code changes, how should you configure your application to obtain Spanner credentials?
A
Configure the appropriate service accounts, and use Workload Identity to run the pods.
B
Store the application credentials as Kubernetes Secrets, and expose them as environment variables.
C
Configure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database.
D
Store the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.