Answer-first summary for fast verification
Answer: Assign the Google Cloud service account to your GKE Pod using Workload Identity.
Workload Identity is the recommended best practice for allowing GKE workloads to securely access Google Cloud services. It associates a Kubernetes service account with a Google Cloud service account, enabling pods to authenticate using short-lived, auto-rotated credentials managed by Google. This eliminates the need to store static service account keys (which would require manual rotation and pose security risks). Options B, C, and D involve exporting static keys (either via Secrets, code, or Vault), which do not fully meet the auto-rotation and encrypted storage requirements as effectively as Workload Identity.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have an application running on Google Kubernetes Engine (GKE) that needs to make authenticated requests to Google Cloud managed services. The solution should be a one-time setup adhering to security best practices, including automatic key rotation and encrypted storage of credentials. A service account with the necessary permissions has already been created. What is the next step to configure this securely?
A
Assign the Google Cloud service account to your GKE Pod using Workload Identity.
B
Export the Google Cloud service account, and share it with the Pod as a Kubernetes Secret.
C
Export the Google Cloud service account, and embed it in the source code of the application.
D
Export the Google Cloud service account, and upload it to HashiCorp Vault to generate a dynamic service account for your application.
No comments yet.