Your organization uses a centralized identity provider to manage access for both human and machine identities. You need to enable on-premises applications to access Google Cloud resources without using hard-coded credentials by leveraging this existing identity management system. What should you do?

Exam-Like

Last updated: December 9, 2025 at 14:04

Enable Secure Web Proxy. Create a proxy subnet for each region that Secure Web Proxy will be deployed. Deploy an SSL certificate to Certificate Manager. Create a Secure Web Proxy policy and rules that allow access to Google Cloud services.

Enable Workforce Identity Federation. Create a workforce identity pool and specify the on-premises identity provider as a workforce identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create an IAM binding that binds the required role(s) to the external identity by specifying the project ID, workload identity pool, and attribute that should be matched.

Enable Identity-Aware Proxy (IAP). Configure IAP by specifying the groups and service accounts that should have access to the application. Grant these identities the IAP-secured web app user role.

Enable Workload Identity Federation. Create a workload identity pool and specify the on-premises identity provider as a workload identity pool provider. Create an attribute mapping to map the on-premises identity provider token to a Google STS token. Create a service account with the necessary permissions for the workload. Grant the external identity the Workload Identity user role on the service account.

Google Professional Cloud Security Engineer

Get started today

Comments

Your organization uses a centralized identity provider to manage access for both human and machine identities. You need to enable on-premises applications to access Google Cloud resources without using hard-coded credentials by leveraging this existing identity management system. What should you do?