Crucial Exams

GCP Professional Cloud Architect Practice Question

Your organization hosts its source code in GitHub and triggers a GitHub Actions workflow on every commit. The workflow must execute gcloud and gsutil commands that create and configure Cloud Storage buckets in both dev and prod Google Cloud projects. The security team forbids storing any long-lived credentials, including service account key files or user OAuth tokens, in the repository or runner. As the cloud architect, which authentication approach best aligns with Google Cloud security best practices?

  • Store a base64-encoded service account JSON key in GitHub encrypted secrets and activate it with gcloud auth activate-service-account during the workflow.

  • Create a project-wide unrestricted API key and set it as an environment variable in the GitHub Actions runner for all gcloud and gsutil calls.

  • Configure Workload Identity Federation with an external identity pool and OIDC provider for GitHub, allowing the workflow to exchange its GitHub-issued identity token for a short-lived access token on a dedicated Google Cloud service account at runtime.

  • Use gcloud auth login --no-launch-browser beforehand, save the resulting OAuth refresh token in a GitHub secret, and reuse it for future workflow runs.

GCP Professional Cloud Architect
Managing implementation
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot