GCP Professional Cloud Architect Practice Question
Your team delivers a Go microservice that uses Google Cloud client libraries for BigQuery and Pub/Sub. The same container image must run in three locations:
Developers' laptops during local integration tests
A Cloud Build continuous-integration job
A production Cloud Run service in the europe-west1 region The service code must obtain credentials automatically in every environment without any code changes or long-lived key files baked into the image. What should you do?
Require developers and Cloud Build to pass a user access token as a command-line flag at runtime, and configure the Cloud Run service with the run.invoker IAM role only.
Use Application Default Credentials everywhere: instruct developers to run "gcloud auth application-default login", configure Cloud Build to run with its default service account, and assign a dedicated IAM service account to the Cloud Run service. Rely on the client libraries to obtain tokens from each environment's metadata server or well-known file.
Store an OAuth 2.0 client ID and secret in Secret Manager; have the container retrieve them at startup and perform a three-legged OAuth web flow to obtain access tokens.
Embed a JSON key for a single service account inside the container and set the GOOGLE_APPLICATION_CREDENTIALS environment variable to that path in all three environments.
Application Default Credentials (ADC) discover usable credentials in a fixed order.
On a developer's workstation, running "gcloud auth application-default login" places user credentials in the well-known file location. The client library then picks them up automatically.
Cloud Build automatically runs each build step under the Cloud Build service account. Because a metadata server is exposed inside the build step, ADC retrieves a short-lived access token for that service account without needing any key file.
Cloud Run lets you specify a service account for the revision. When the container starts, the Cloud Run metadata server delivers tokens for that account, and ADC picks them up. This approach meets the requirement with no code changes and no embedded keys. The other options either embed long-lived secrets in the image or rely on OAuth client credentials that are not intended for server-to-server workloads, creating additional operational and security burden.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Application Default Credentials (ADC) in Google Cloud?
Open an interactive chat with Bash
How does the metadata server help with credential management in Google Cloud?
Open an interactive chat with Bash
Why is embedding keys or OAuth client credentials discouraged in production systems?
Open an interactive chat with Bash
What are Application Default Credentials (ADC)?
Open an interactive chat with Bash
How does a metadata server provide tokens in managed environments like Cloud Run?
Open an interactive chat with Bash
Why is embedding long-lived secrets like JSON key files inside container images insecure?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .