Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

A global fintech company runs its CI/CD pipelines on self-hosted GitLab runners in an on-premises data center. The pipelines must build container images and deploy them to Cloud Run services in several Google Cloud projects. Corporate policy forbids keeping any long-lived Google Cloud credentials on-prem, and every pipeline execution must obtain fresh, short-lived credentials automatically without human interaction. Which authentication approach best meets these requirements while aligning with Google-recommended security practices?

  • Re-enable the Compute Engine default service account in one project, export its private key, and reuse that key across all runners and deployments.

  • Create a dedicated Cloud Identity user for each runner, enforce two-factor authentication, and have the pipeline authenticate via the OAuth installed-app flow.

  • Generate a single service account with the Editor role, download its JSON key, store it in GitLab's secret store, and use Application Default Credentials during the pipeline.

  • Configure Workload Identity Federation so each GitLab runner exchanges its OIDC token for a short-lived access token that impersonates a per-project service account.

GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot