GCP Professional Cloud Security Engineer Practice Question
An on-premises Jenkins server builds container images and deploys them to Cloud Storage and Cloud Run in a Google Cloud project. Company policy forbids keeping any long-lived service-account keys outside Google Cloud. Jenkins can obtain OpenID Connect (OIDC) ID tokens issued by the corporate Azure AD for each job. A dedicated service account with the necessary IAM roles already exists. How should you grant Jenkins 30-minute credentials to Google Cloud with minimal operational overhead?
Configure a Workload Identity Pool with an OIDC provider that trusts Azure AD, grant its principal set the iam.workloadIdentityUser role on the service account, and have Jenkins exchange its Azure-issued ID token for a short-lived Google Cloud access token before each deployment.
Create a Google OAuth 2.0 client for Jenkins, issue an offline refresh token, and have Jenkins use it to request new access tokens whenever it runs a build.
Generate a user-managed JSON key for the service account, encrypt it with Cloud KMS, store it in Secret Manager, and have Jenkins decrypt and use the key at build time.
Attach the service account to a dedicated Compute Engine jump-host VM and require Jenkins jobs to SSH into the VM and run gcloud commands using the VM's metadata server credentials.
Workload Identity Federation lets external workloads exchange short-lived OIDC tokens from a trusted identity provider for Google Cloud access tokens, avoiding any user-managed service-account keys. By creating a Workload Identity Pool and an OIDC provider that trusts Azure AD, you can bind the identity pool's principal set to the existing service account with the iam.workloadIdentityUser role. Each Jenkins job then exchanges its Azure-issued ID token for a short-lived (up to one hour, e.g., 30 minutes) access token, satisfying the requirement for temporary credentials while eliminating the operational burden of generating, storing, rotating, and securing long-lived keys.
The other approaches violate policy or add unnecessary complexity:
Storing an encrypted JSON key in Secret Manager or using an OAuth refresh token still relies on long-lived secrets that must be rotated and protected.
Using a jump-host VM with the service account attached shifts, but does not eliminate, persistent credentials and adds operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does the Workload Identity Pool trust an external OIDC provider like Azure AD?
Open an interactive chat with Bash
Why are long-lived service account keys considered insecure?
Open an interactive chat with Bash
What is Workload Identity Federation?
Open an interactive chat with Bash
How does OpenID Connect (OIDC) work in this context?
Open an interactive chat with Bash
Why is the iam.workloadIdentityUser role needed in this setup?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .