ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Subtask 3.1: Design for SecurityWorkload IdentityGKESecurityIAM

GCP PCA · Question 40 · Design for Security

You are configuring a GKE cluster that runs multiple microservices. One specific microservice (Pod A) needs to read data from a Cloud Storage bucket. You want to follow the principle of least privilege and avoid using long-lived service account keys. Which TWO steps are required to implement Workload Identity for this pod? (Select TWO)

Answer options:

A.

Create a Google Cloud Service Account (GSA) and grant it the Storage Object Viewer role.

B.

Download the JSON key for the GSA and mount it as a Kubernetes Secret in Pod A.

C.

Assign the GSA directly to the GKE Node Pool.

D.

Create a Kubernetes Service Account (KSA), annotate it with the GSA, and configure an IAM policy binding between the KSA and GSA.

E.

Enable the Metadata Concealment feature on the GKE cluster.

How to approach this question

Understand the two halves of Workload Identity: The GCP identity (GSA) and the Kubernetes identity (KSA), and how they are bound together.

Full Answer

A,D
Workload Identity is the recommended way for GKE applications to authenticate to Google Cloud services. It works by creating a relationship between a Kubernetes Service Account (KSA) and a Google Cloud Service Account (GSA). First, you create the GSA and give it the required IAM roles (Option A). Then, you create a KSA, annotate it, and create an IAM binding that allows the KSA to impersonate the GSA (Option D). The pod is then configured to run as the KSA.

Common mistakes

Selecting Option B (JSON keys) or Option C (Node pool service accounts). Both are legacy anti-patterns that Workload Identity was designed to replace.
39All questions41

Practice the full GCP Professional Cloud Architect Practice Exam 7

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...HardQ02CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...MediumQ03CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...MediumQ04CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...MediumQ05CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...Medium
View all 50 questions →