Answer: Enable Workload Identity for GKE. Assign a Kubernetes service account to the application and configure that Kubernetes service account to act as an Identity and Access Management (IAM) service account. Grant the required roles to the IAM service account.

Option B is the correct answer because it implements Workload Identity, which is Google's recommended best practice for securely granting GKE workloads access to Google Cloud services. Workload Identity allows Kubernetes service accounts to impersonate IAM service accounts, providing fine-grained, short-lived credentials without exposing long-lived service account keys. This follows the principle of least privilege and eliminates the security risks associated with static service account keys. Option A is insecure as it uses the default Compute Engine service account, which typically has overly broad permissions. Option C is better than A but still grants permissions at the node level rather than the workload level, violating the principle of least privilege. Option D is explicitly discouraged by Google security best practices because it involves creating and managing service account keys, which are long-lived credentials that pose significant security risks if compromised.

Author: LeetQuiz Editorial Team