GCP Professional Cloud Security Engineer Practice Question
Your company maintains dozens of GCP projects. Developers run gcloud commands and Terraform locally, while GitLab CI pipelines execute outside Google Cloud. To enable these workflows, teams currently download user-managed JSON keys for a shared deployment service account, which violates a new policy that bans persistent credentials. You must redesign authentication to remove local keys, enforce least-privilege, and keep Cloud Audit Logs visibility with minimal operational overhead. What should you do?
Store the existing service account JSON keys in Secret Manager, rotate them automatically every 12 hours, and let developers and CI jobs retrieve the keys at runtime.
Grant the Compute Engine default service account Owner on each project and require developers and CI jobs to tunnel through a bastion VM to fetch tokens from the VM metadata server.
Configure Workload Identity Federation so that GitLab runners and developers use their existing OIDC or SAML credentials to obtain short-lived tokens that impersonate least-privilege deployment service accounts in each project.
Issue individual user-managed service account keys to every developer, restrict their usage with VPC Service Controls, and configure alerting on key creation and deletion events.
Workload Identity Federation lets external identities-such as the OIDC tokens from GitLab runners or the SAML/OIDC credentials developers already use-exchange their native credential for a short-lived Google Cloud access token that impersonates a dedicated service account. No JSON key files are created or stored locally, so the policy banning long-lived credentials is met. Each workload or user can be mapped to the minimum-privilege service account needed, and every token issuance is logged in Cloud Audit Logs for traceability. The other approaches continue to rely on long-lived service account keys, grant excessive permissions, or introduce unnecessary operational complexity, so they do not fully mitigate the risk the security team identified.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation?
Open an interactive chat with Bash
How does Workload Identity Federation enforce least-privilege access?
Open an interactive chat with Bash
How is Cloud Audit Logs visibility maintained with Workload Identity Federation?
Open an interactive chat with Bash
What is Workload Identity Federation?
Open an interactive chat with Bash
How does Workload Identity Federation enforce least privilege?
Open an interactive chat with Bash
What is the advantage of replacing JSON keys with short-lived tokens?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .