GCP Professional Cloud Architect Practice Question
Your data science team runs nightly Python batch jobs on unmanaged Compute Engine VMs to process BigQuery datasets and write results to Cloud Storage. Currently the scripts use hard-coded API keys through the google-api-python-client. Security wants to eliminate embedded secrets and enforce least-privilege, while also reducing code maintenance. Which approach should you recommend?
Implement an OAuth 2.0 installed-application flow that prompts an operator to grant access each time the batch job starts and caches the refresh token on disk.
Attach a least-privilege service account to each VM and migrate the code to Google Cloud Client Libraries, which use Application Default Credentials obtained from the metadata server.
Store the existing API keys in Secret Manager and load them as environment variables at runtime while continuing to use google-api-python-client.
Add a startup script that runs gcloud auth application-default login so the code can read user credentials from the gcloud configuration directory.
Attaching a dedicated IAM service account to each VM and switching to Google Cloud Client Libraries allows the code to rely on Application Default Credentials. The libraries automatically fetch short-lived OAuth 2.0 access tokens from the Compute Engine metadata server, so no secrets are stored in code or on disk. Because the service account only has the minimum IAM roles required, the principle of least privilege is satisfied. The other options either continue to depend on long-lived API keys or user credentials, store secrets locally, or require interactive consent, all of which violate the stated security and maintainability goals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What are Application Default Credentials (ADC) in Google Cloud?
Open an interactive chat with Bash
Why is the Google Cloud Client Library preferred over google-api-python-client?
Open an interactive chat with Bash
What is the principle of least privilege in cloud environments?
Open an interactive chat with Bash
How do Application Default Credentials (ADC) improve security and reduce maintenance?
Open an interactive chat with Bash
Why are the Google Cloud Client Libraries recommended over google-api-python-client?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .