Answer: Create a new Kubernetes service account, and assign the service account to the Pods. Use Workload Identity to authenticate as the Google service account., Create a new Google service account, and assign the appropriate IAM permissions.

The question focuses on Google-recommended practices for identity management in a CI/CD pipeline using GKE ephemeral Pods for Terraform deployments. Google emphasizes security and least privilege, discouraging the use of long-lived service account keys due to risks like exposure and rotation challenges. Workload Identity is the preferred method for authenticating Pods to Google Cloud services, as it allows Kubernetes service accounts to impersonate Google service accounts securely without keys. Option A correctly implements Workload Identity, assigning a Kubernetes service account to Pods for authentication. Option C is essential because creating a dedicated Google service account with precise IAM permissions ensures least privilege access for Terraform deployments, which must be done regardless of the authentication method. Option B and D are incorrect as they involve generating and storing JSON keys, which violate best practices by introducing long-lived credential risks. Option E is incorrect because assigning permissions to the Compute Engine VM's service account grants broad access to all Pods on the node, violating least privilege and workload isolation principles.

Author: LeetQuiz Editorial Team