GCP Professional Cloud Architect Practice Question
Your company runs a multi-tenant SaaS platform on Cloud Run services deployed to multiple regions. Application containers require database credentials and third-party API tokens at startup. Security requirements mandate: 1) secrets must not be stored in container images or source control, 2) rotation must be possible without redeploying services, 3) audit logs of secret access must be retained, and 4) developers should read secrets only in non-production projects. Which design best satisfies these requirements?
Store each credential as a Secret Manager secret with automatic replication; grant Cloud Run runtime service accounts roles/secretmanager.secretAccessor in production, give developers roles/secretmanager.secretViewer only in dev/test projects, configure Cloud Run to inject the secrets as environment variables referencing version "latest" so new versions are used without redeploying, and enable Secret Manager Data Access audit logs to retain access records.
Create Kubernetes Secrets in a GKE cluster, sync them to Cloud Run using Config Connector, and hard-code service account keys in the deployment YAML. Rotate by redeploying the YAML manifests and monitor access through GKE audit logs.
Encrypt secrets with a customer-managed key in Cloud KMS, upload the ciphertext to a private Cloud Storage bucket, and let Cloud Run read the files at startup via Cloud Storage FUSE. Replace the objects when rotating credentials and rely on bucket access logs for auditing.
Inject credentials as build-time substitution variables in Cloud Build, store the values in a secured parameter file inside Cloud Source Repositories, and redeploy Cloud Run whenever a secret changes. Control developer access with repository ACLs.
Secret Manager stores credentials outside container images and provides versioning. Cloud Run can inject secrets as environment variables that reference the latest version alias, so adding a new secret version automatically rotates credentials without redeploying the service. Granting the Cloud Run runtime service account the roles/secretmanager.secretAccessor role in production allows the workload-rather than developers-to read secrets, while developers receive only viewer access in dev/test projects. Enabling Secret Manager Data Access audit logs (Admin Activity logs are always on) ensures that every secret read is captured and retained. The other options either embed secrets in source or containers, require redeployments for rotation, or lack fine-grained IAM and native auditing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Secret Manager in GCP?
Open an interactive chat with Bash
How does Secret Manager ensure secure rotation of secrets?
Open an interactive chat with Bash
What are Secret Manager Data Access audit logs in GCP?
Open an interactive chat with Bash
What is Secret Manager in GCP?
Open an interactive chat with Bash
How does Secret Manager help with audit logging?
Open an interactive chat with Bash
How does Cloud Run use secrets from Secret Manager?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .