Explanation:
Google recommends avoiding the use of service account keys (long-lived credentials) for security reasons. Option B uses service account impersonation via gcloud to generate a short-lived access token for the service account. This aligns with best practices by eliminating the need for static keys. The gcloud config set auth/impersonate_service_account command configures impersonation, and gcloud auth print-access-token retrieves a token for the service account. Setting GOOGLE_OAUTH_ACCESS_TOKEN to this token allows Terraform to authenticate as the service account without keys. Options A and D involve service account keys, which are discouraged. Option C uses the user's credentials directly, which does not meet the requirement to deploy resources using the service account.
Ultimate access to all questions.
No comments yet.
To deploy resources from your local machine to Google Cloud using Terraform with a service account, while adhering to Google's best practices, what steps should you take given that your Cloud Identity has the roles/iam.serviceAccountTokenCreator IAM role and the required permissions for Terraform deployments?
A
B
C
D