Explanation:
The question requires a solution that provides granular access to secrets, control over encryption key rotation schedules, environment separation, and ease of management. Option A is optimal because: (1) Using separate projects for Production and Non-Production secrets maintains environment separation, (2) Project-level IAM bindings, while less granular than secret-level, can still provide adequate access control when combined with proper project organization and are easier to manage at scale, (3) Customer-managed encryption keys (CMEK) give full control over key rotation schedules, which is explicitly required. Option C uses Google-managed keys, which do not provide control over rotation schedules, violating a key requirement. Option B and D use a single project, failing environment separation. The community discussion shows 76% support for A, with the top-voted comment (13 upvotes) explaining that A meets all requirements, while comments favoring C (24%) overlook that Google-managed keys do not allow control over rotation.
Ultimate access to all questions.
You are designing a new governance model for secrets stored in Secret Manager. Currently, secrets for Production and Non-Production applications are stored and accessed using service accounts. Your proposed solution must:
A
B
C
D
No comments yet.