GCP Professional Cloud Security Engineer Practice Question
A legacy automation job runs inside Google Cloud Build and still relies on reading a JSON key file for a user-managed service account. Your security team forbids checking the key into source control or writing it unencrypted to any persistent disk, but agrees that the key may continue to exist if it is protected by Google-managed encryption and tightly scoped IAM. You must update the build so the script can still read the key with almost no code changes and without violating policy. Which solution best meets these requirements?
Mount the key into the build step from a Kubernetes ConfigMap that is base64-encoded and protected by GKE-specific IAM permissions.
Delete the key entirely and configure the build to impersonate the service account using the iam.serviceAccountTokenCreator role.
Encrypt the key with Cloud KMS, upload the ciphertext to a dedicated Cloud Storage bucket, and have the build step download and decrypt the file before execution.
Store the JSON key as a Secret Manager secret, grant the Cloud Build service account "secretmanager.versions.access", and reference the secret with the secrets/secretEnv block so the script reads it from an injected environment variable.
Storing the JSON key as a Secret Manager secret and referencing it in the cloudbuild.yaml file through the secrets/secretEnv stanza keeps the credential encrypted at rest by Google-managed keys. Cloud Build only injects the secret value into an in-memory environment variable during the build step and automatically purges it afterward, so the key is never written unencrypted to persistent storage. Granting the Cloud Build service account the Secret Manager Secret Accessor role limits who can retrieve the secret. The other options either continue to store the key in less secure locations (Cloud Storage, ConfigMap), or eliminate the key altogether-something the legacy job cannot yet accommodate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Google Cloud Secret Manager?
Open an interactive chat with Bash
How does the secrets/secretEnv block in Cloud Build work?
Open an interactive chat with Bash
What is the role of 'secretmanager.versions.access' in IAM?
Open an interactive chat with Bash
What is Google Secret Manager and how does it help secure sensitive keys?
Open an interactive chat with Bash
Why is mounting the key into Kubernetes ConfigMap not a secure choice?
Open an interactive chat with Bash
Why can't the legacy script use service account impersonation instead of storing the key?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .