Answer-first summary for fast verification
Answer: Create a workload identity pool with a workload identity provider for each external cloud. Set up a service account and add an IAM binding for impersonation.
Option C is the correct answer because it directly addresses the requirement for short-lived credentials across multiple cloud environments using Google Cloud's Workload Identity Federation (WIF). WIF allows external workloads from other clouds to exchange their native identity tokens for short-lived Google Cloud credentials via the Security Token Service (STS), eliminating the need for long-lived service account keys. This approach enhances security by reducing credential exposure and supports centralized management. Option A is incorrect as it applies to Compute Engine workloads within Google Cloud, not external clouds. Option B is insecure due to the use of long-lived service account keys, which violate the short-lived credential requirement. Option D is irrelevant as it relies on IP-based access control, not identity-based authentication with short-lived credentials.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your organization runs applications across multiple cloud environments. These applications need to access a Google Cloud resource within your project. To maintain a high level of security, you must use short-lived credentials for this cross-cloud access. What is the recommended approach?
A
Create a managed workload identity. Bind an attested identity to the Compute Engine workload.
B
Create a service account key. Download the key to each application that requires access to the Google Cloud resource.
C
Create a workload identity pool with a workload identity provider for each external cloud. Set up a service account and add an IAM binding for impersonation.
D
Create a VPC firewall rule for ingress traffic with an allowlist of the IP ranges of the external cloud applications.
No comments yet.