Answer: Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS). Configure a rule to let principals in the pool impersonate the Google Cloud service account.

Option A is the correct answer because it implements Workload Identity Federation using the corporate Active Directory Federation Service (ADFS) as the identity provider, which aligns with the on-premises Windows environment. Crucially, it configures a rule to allow only specific principals to impersonate the Google Cloud service account, adhering to the principle of least privilege and the security policy to minimize service account key usage. Option B is incorrect as it allows all principals in the pool to impersonate the service account, violating least privilege and increasing security risks. Options C and D are less suitable because they use an OpenID Connect (OIDC) service on the same machine, which is not the corporate identity provider and may not integrate seamlessly with the existing ADFS infrastructure, potentially complicating management and security. The community discussion strongly supports A, with high upvotes and reasoning emphasizing least privilege and controlled access.

Author: LeetQuiz Editorial Team