GCP Professional Cloud Security Engineer Practice Question
A company's on-premises Jenkins controller runs in a data center that already issues OpenID Connect (OIDC) ID tokens for each build agent. The build pipeline must push container images to Artifact Registry and apply manifests to several Google Kubernetes Engine clusters that reside in different projects. Security policy forbids long-lived service account keys and mandates least-privilege access. Which approach best satisfies the requirements while minimizing ongoing operational effort?
Create a Workload Identity Pool and OIDC provider, allow the Jenkins-issued tokens to impersonate a dedicated Google Cloud service account, and grant that account only the roles needed for Artifact Registry and GKE deployments.
Grant the Compute Engine default service account the Editor role in each project and reference that account in the Jenkins pipeline using service account impersonation.
Configure Jenkins jobs to launch Cloud Shell sessions with gcloud auth login and use the authenticated user's credentials to perform deployments.
Create a new service account key in JSON format, store it as a secret in Jenkins, and rotate the key every 90 days.
Workload Identity Federation lets an external workload present an OIDC ID token to Google Cloud's Security Token Service and receive a short-lived access token scoped to a Google service account. No user-managed key material is created or stored, removing the operational burden of key rotation and the risk of key leakage. Granting only the narrow Artifact Registry and GKE deployment roles to the dedicated service account upholds least privilege. Storing a JSON key in Jenkins or assigning the overly broad Editor role-whether via default or custom service accounts-violates the key-management and privilege requirements. Likewise, using Cloud Shell credentials from Jenkins is impractical and still relies on a user account session rather than a federated, short-lived credential flow.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
What are OIDC ID tokens and their usage in Workload Identity Federation?
Open an interactive chat with Bash
How does Workload Identity Federation enforce least privilege by using service account roles?
Open an interactive chat with Bash
What is Workload Identity Federation?
Open an interactive chat with Bash
What is an OpenID Connect (OIDC) ID token?
Open an interactive chat with Bash
What are the benefits of least-privilege access in cloud security?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .