An application running on Google Kubernetes Engine (GKE) needs to read data from a Cloud Storage bucket. What is the most secure way to grant the application access to the bucket?

Answer options:

Export a Service Account JSON key and store it as a Kubernetes Secret.

Grant the required IAM roles to the Compute Engine default service account used by the GKE nodes.

Enable Workload Identity on the GKE cluster and map a Kubernetes Service Account to a Google Cloud Service Account.

Make the Cloud Storage bucket public.

How to approach this question

Identify the modern, keyless authentication method for GKE workloads.

Full Answer

C.Enable Workload Identity on the GKE cluster and map a Kubernetes Service Account to a Google Cloud Service Account.✓ Correct

Workload Identity allows a Kubernetes Service Account (KSA) to act as a Google Service Account (GSA). Pods running as the KSA automatically authenticate as the GSA when accessing Google Cloud APIs. This eliminates the need to manage vulnerable JSON service account keys.

Common mistakes

Using node service accounts (B), which gives too much permission to all pods on the node.

Question 27 All questions Question 29

Practice the full GCP Professional Cloud Architect Practice Exam 5

50 questions · hints · full answers · grading

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Hard Q02CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q03CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q04CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q05CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Easy

View all 50 questions →