Answer: Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level

Option C is the correct answer because it addresses the core security concern of minimizing credential theft risk for a CI/CD system. Creating a custom service account allows for implementing the principle of least privilege, granting only necessary permissions. More importantly, enabling the iam.disableServiceAccountKeyCreation organization policy prevents the creation of long-lived service account keys, which are high-risk credentials that can be exported outside GCP and stolen. This forces the use of managed identities and short-lived credentials, significantly reducing the attack surface. Option A is incorrect because using a Cloud Identity user account with temporary credentials stored in a self-hosted vault introduces complexity and potential security gaps in the vault management. Option B is incorrect because disabling service account creation entirely would prevent the use of service accounts altogether, which are essential for automated workloads. Option D is incorrect because allowing credential lifetime extension increases risk by enabling longer-lived credentials, contrary to the goal of minimizing theft risk.

Author: LeetQuiz Editorial Team