Expert
GCP ACEGCP ACE Walkthrough: GKE Workload Identity and IAM Minimum Permissions
GKE deployment and IAM role assignment are among the highest-weighted topics on the updated 2025 ACE exam. This walkthrough covers a representative Workload Identity scenario and the IAM reasoning pattern that applies across ACE questions.
The question
A development team needs to deploy a containerised application to Google Kubernetes Engine. The application requires access to objects in a Cloud Storage bucket. You need to grant the application the minimum permissions required to read from the bucket without storing credentials in the container image or Kubernetes secrets. Which approach should you use? A. Create a service account with the Storage Object Viewer role. Download a JSON key file and mount it as a Kubernetes Secret in the pod. B. Create a service account with the Storage Object Viewer role. Annotate the Kubernetes service account to use Workload Identity and bind it to the Google service account. C. Grant the Compute Engine default service account the Storage Object Viewer role. Deploy the GKE cluster using the default service account. D. Enable uniform bucket-level access on the Cloud Storage bucket and grant the allUsers principal the Storage Object Viewer role.
[1 mark]
Correct answer: B
Why B is right
Workload Identity is the Google-recommended pattern for granting GKE workloads access to Google Cloud services without service account key files. The setup: create a Google service account (GSA) with Storage Object Viewer, create a Kubernetes service account (KSA) in the pod's namespace, annotate the KSA with the GSA email, and bind the KSA to the GSA using an IAM binding. The pod then assumes the GSA identity automatically through the GKE metadata server — no JSON key, no Kubernetes Secret, no credentials to rotate or leak.
Why A is wrong — the key file anti-pattern
Downloading a JSON key file and mounting it as a Kubernetes Secret is the old pattern that Workload Identity was designed to replace. Key files must be manually rotated, can be exfiltrated if the cluster is compromised, and Kubernetes Secrets are only base64-encoded (not encrypted at rest by default). The question requires no credential storage in the image or Secrets — option A fails this constraint explicitly.
Why C is wrong
Granting the Compute Engine default service account broad permissions violates least privilege. The default service account is shared across all GKE nodes in the cluster — granting it Storage Object Viewer means every workload on every node can read the bucket, not just the application that needs it. ACE questions consistently penalise answers that grant permissions at the wrong scope.
Why D is wrong
Granting allUsers access makes the bucket publicly readable by anyone on the internet — the opposite of minimum permissions. Uniform bucket-level access is a good practice for consistent permission management, but the problem is who is granted the role, not how the access is applied.
The Workload Identity pattern to remember
Never use JSON key files in GKE
If an ACE question offers a JSON key file mounted as a Secret and Workload Identity as another option, Workload Identity is always correct. Key file patterns fail minimum-credential and no-storage-in-secrets requirements.
Scope permissions to the workload, not the node
The Compute Engine default service account is node-scoped. Workload Identity is pod-scoped. ACE questions on IAM almost always reward pod-level granularity over node-level access.
Storage Object Viewer vs Storage Object Admin
Read-only access = Storage Object Viewer. Read/write = Storage Object Creator or Admin. Minimum permissions means Viewer for read-only workloads. Do not over-grant — ACE questions include an Admin option as a distractor.
Practice GCP ACE
Exam simulation, graded results, and detailed guidance on every question.