ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3: Designing for Security and ComplianceDomain 3Workload IdentityGKE SecurityIAM

GCP PCA · Question 26 · Domain 3: Designing for Security and Compliance

Your development team is deploying a microservice to Google Kubernetes Engine (GKE). The microservice needs to read files from a Cloud Storage bucket. The security team strictly forbids the use of exported Service Account JSON keys due to the risk of credential leakage. How should you grant the GKE pods access to the Cloud Storage bucket?

Answer options:

A.

Assign the required Cloud Storage IAM role to the GKE underlying Compute Engine node service account.

B.

Store the Service Account JSON key in Kubernetes Secrets and mount it as a volume in the pod.

C.

Enable Workload Identity on the GKE cluster. Bind a Kubernetes Service Account (KSA) to a Google Service Account (GSA) that has access to the bucket.

D.

Configure VPC Service Controls to allow the GKE cluster's IP address to access the Cloud Storage bucket.

How to approach this question

Look for 'GKE pods accessing GCP services' + 'no JSON keys'. Workload Identity is the standard GCP solution for this.

Full Answer

C.Enable Workload Identity on the GKE cluster. Bind a Kubernetes Service Account (KSA) to a Google Service Account (GSA) that has access to the bucket.✓ Correct
Enable Workload Identity on the GKE cluster. Bind a Kubernetes Service Account (KSA) to a Google Service Account (GSA) that has access to the bucket.
Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services. This eliminates the need to manage Service Account keys (which can be leaked) and allows you to enforce least privilege at the pod level, rather than the node level.

Common mistakes

Choosing option A. Assigning permissions to the node pool service account is a legacy approach that grants overly broad permissions to all pods on the node.
25All questions27

Practice the full GCP Professional Cloud Architect Practice Exam 3

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ02**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ03**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ04**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...EasyQ05**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium
View all 50 questions →