GCP Professional Cloud Architect Practice Question
Your security team mandates that workloads running in a GKE cluster in project "prod-app" must pull container images from an Artifact Registry repository in project "cicd-registry" and write application logs into a BigQuery dataset in project "analytics". You must enforce least privilege, avoid any long-lived credentials on the nodes, and allow future microservices in the cluster to adopt the same pattern without code changes. What should you do?
Create a custom IAM role combining Artifact Registry Reader and BigQuery Data Editor, assign it to the DevOps user group in both projects, and inject an access token into each pod at runtime with an init container.
Allow GKE nodes to run with the project's default Compute Engine service account and grant that account Artifact Registry Reader on cicd-registry and BigQuery Data Editor on the analytics dataset.
Enable Workload Identity on the cluster, create a dedicated Google service account, grant it Artifact Registry Reader on cicd-registry and BigQuery Data Editor on the analytics dataset, and map the cluster's default Kubernetes service account to impersonate this Google service account.
Export a JSON key for the Artifact Registry service account in cicd-registry, store it in Secret Manager, and mount the key into pods together with BigQuery credentials for direct use by application code.
Workload Identity lets GKE workloads obtain short-lived OAuth2 tokens for a Google service account (GSA) without exporting keys. Creating a dedicated GSA with only roles/artifactregistry.reader on the cicd-registry project and roles/bigquery.dataEditor on the target dataset meets the principle of least privilege. Annotating the default Kubernetes service account to impersonate that GSA makes the mechanism reusable by other pods in the cluster. Relying on the node's default Compute Engine service account grants excessive permissions, while distributing user credentials or service-account keys introduces long-lived secrets that violate the security requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
How does mapping a Kubernetes service account to a Google service account work?
Open an interactive chat with Bash
What is the principle of least privilege, and how is it applied here?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
How does impersonation work with service accounts in GCP?
Open an interactive chat with Bash
Why is storing access keys in Secret Manager not recommended for this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .