Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Enable Workload Identity Federation. Create a workload identity pool and specify the on-premises identity provider as a workload identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create a service account with the necessary permissions for the workload. Grant the external identity the Workload Identity user role on the service account.

The question specifically asks to enable on-premises applications (machine identities) to access Google Cloud without hard-coded credentials. Workload Identity Federation (option D) is designed for this exact use case - it allows external applications and workloads to authenticate to Google Cloud using tokens from external identity providers. The community discussion strongly supports D (85% consensus) with key insights: 'Workload Identity Federation is used for applications when Workforce Identity Federation is used for humans' and 'The requirement of the question is for applications, not persons.' Option B (Workforce Identity Federation) is incorrect as it's designed for human workforce access, not applications. Option A (Secure Web Proxy) is unrelated to identity federation, and Option C (IAP) is for securing web applications, not enabling application-to-cloud access via external identity providers.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your organization uses a centralized identity provider to manage access for both human and machine identities. You need to enable on-premises applications to access Google Cloud resources without using hard-coded credentials by leveraging this existing identity management system. What should you do?

Enable Secure Web Proxy. Create a proxy subnet for each region that Secure Web Proxy will be deployed. Deploy an SSL certificate to Certificate Manager. Create a Secure Web Proxy policy and rules that allow access to Google Cloud services.

Enable Workforce Identity Federation. Create a workforce identity pool and specify the on-premises identity provider as a workforce identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create an IAM binding that binds the required role(s) to the external identity by specifying the project ID, workload identity pool, and attribute that should be matched.

Enable Identity-Aware Proxy (IAP). Configure IAP by specifying the groups and service accounts that should have access to the application. Grant these identities the IAP-secured web app user role.

Enable Workload Identity Federation. Create a workload identity pool and specify the on-premises identity provider as a workload identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create a service account with the necessary permissions for the workload. Grant the external identity the Workload Identity user role on the service account.