GCP Professional Cloud Security Engineer Practice Question
Your company is launching a new microservice in a production Google Kubernetes Engine (GKE) cluster in project "prod-retail". The microservice needs read-only access to a single Cloud Storage bucket in the same project. The security policy requires following Google's recommended procedure for creating service accounts and enforcing least privilege while preventing long-lived credentials. Which approach should the platform engineer implement?
Create a dedicated service account in the prod-retail project, grant it roles/storage.objectViewer on the target bucket only, enable Workload Identity so the GKE pods can use the service account without keys, and disable the unused Compute Engine default service account.
Create a new service account at the organization level, assign it the Project Editor role on prod-retail, and allow GKE node service accounts to impersonate it via iam.serviceAccountUser.
For each pod replica, create a new service account with roles/storage.objectViewer on the bucket, generate a user-managed JSON key, store the key in Cloud Storage, and have the pod download the key during startup.
Reuse the project's Compute Engine default service account, grant it the Storage Admin role at the project level, and mount its JSON key into the pods as a Kubernetes secret.
The recommended workflow is to create a dedicated service account in the same project, grant it only the minimum required privilege-roles/storage.objectViewer on the specific bucket-and rely on Workload Identity so that GKE pods can obtain short-lived OAuth 2.0 tokens for that Google service account. This avoids generating and distributing user-managed keys and adheres to the principle of least privilege. Disabling the unused Compute Engine default service account removes unnecessary privilege in the project.
The alternatives are less secure or violate best practices:
Reusing the Compute Engine default service account and granting it Storage Admin at the project level is overly permissive and keeps an unnecessary high-privilege account active.
Creating an organization-level service account with the Editor role grants excessive permissions and isn't required for a single-project workload.
Distributing user-managed JSON keys to each pod introduces long-lived credentials and operational overhead that Google explicitly advises against.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why should the Compute Engine default service account be disabled in this setup?
Open an interactive chat with Bash
What does roles/storage.objectViewer allow in Cloud Storage?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
What does the `roles/storage.objectViewer` role provide access to?
Open an interactive chat with Bash
Why is disabling the unused Compute Engine default service account recommended?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .