GCP Professional Cloud Architect Practice Question

Your security operations team must regularly generate and rotate short-lived service-account keys across dozens of Google Cloud projects. Today, senior engineers run a Bash script from their laptops with the gcloud CLI, but executions frequently fail because team members have outdated SDK versions or stale local credentials.

Leadership asks you to redesign the workflow so that:

It is reproducible and consistent across engineers.
No long-lived credentials remain on engineer workstations.
Additional operational cost and complexity are avoided.

Which solution best meets these requirements?

Provision a small, always-running f1-micro Compute Engine VM in each project, install the Cloud SDK, copy the script to the instance, and allow engineers to SSH in and execute it when needed.
Package the script into a container image and deploy it to Cloud Run in every project. Expose an IAM-authenticated HTTPS endpoint that engineers call to trigger key rotation.
Create a Cloud Build pipeline that runs automatically every night in each project. Grant the Cloud Build runtime service account permissions to manage service-account keys so that each build rotates keys on schedule.
Store the key-rotation script in each engineer's Cloud Shell $HOME directory (persisted on the free 5-GB disk). Engineers open Cloud Shell on demand, run the script with the pre-installed gcloud CLI, and close the session when finished.

Report Issue

Answer Description

Running the rotation script interactively from Cloud Shell satisfies all stated goals:

Cloud Shell provides an up-to-date, fully authenticated gcloud CLI out of the box, so engineers no longer need to manage local SDK versions or credentials.
Placing the script in the Cloud Shell $HOME directory preserves it on the free 5-GB persistent disk across sessions, ensuring a consistent execution environment for all team members.
Engineers invoke the script only when rotation is actually required, so no automated job runs (and bills) when nothing needs to be done.
Because execution happens inside the ephemeral Cloud Shell VM, no credentials are stored on individual laptops, and the VM is shut down automatically when the session ends, limiting exposure.

The other options introduce unnecessary risk or cost:

Deploying the script to Cloud Run would expose a public endpoint and require careful handling of IAM and environment variables, increasing the attack surface.
A nightly Cloud Build pipeline would consume build minutes every day-even when rotation is unnecessary-and would still require granting the Cloud Build service account the ability to create and destroy keys.
Maintaining always-on Compute Engine VMs adds ongoing infrastructure cost and operational overhead without providing clear benefits over the on-demand environment that Cloud Shell already supplies.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.