GCP Professional Cloud Security Engineer Practice Question
Your company's security policy forbids keeping long-lived Google Cloud credentials outside Google Cloud. A GitHub Actions workflow builds container images and runs gcloud commands to deploy to a Google Kubernetes Engine (GKE) cluster. Today the workflow authenticates by reading a base-64-encoded JSON key for a user-managed service account that is stored in the repository's secrets. You must eliminate this compliance finding while continuing to deploy from GitHub. Which approach best meets the requirement?
Configure Workload Identity Federation to trust GitHub's OIDC tokens, grant the trusted identity roles/iam.workloadIdentityUser on a dedicated deployer service account, and have the workflow obtain short-lived access tokens at run time.
Move the JSON key to Secret Manager and retrieve it over HTTPS from the workflow so the key is never stored directly in the repository.
Grant the Compute Engine default service account the Editor role, download its private key, and store the key as a GitHub Actions secret for the deployment job.
Encrypt the existing JSON key with a customer-managed key in Cloud KMS, store the encrypted blob in the repository, and decrypt it in the workflow before running gcloud.
Workload Identity Federation lets an external workload-such as a GitHub Actions runner-exchange its native OIDC token for a short-lived Google Cloud access token. Create a Workload Identity Pool and provider that trusts GitHub's OIDC tokens, then grant the pool's principals the role roles/iam.workloadIdentityUser on a dedicated deployer service account. In the workflow, use the google-github-actions/auth action to obtain a short-lived access token and run gcloud without ever storing a long-lived JSON key. Encrypting or vaulting the existing key (the incorrect options) still leaves a long-lived credential outside Google Cloud, and exporting the default service account key with broad permissions both violates least-privilege principles and perpetuates key exposure. Therefore, configuring Workload Identity Federation with the proper IAM role is the only option that fully addresses the policy requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does roles/iam.workloadIdentityUser improve security in this use case?
Open an interactive chat with Bash
What are OIDC tokens, and how does GitHub Actions use them in this setup?
Open an interactive chat with Bash
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does OIDC (OpenID Connect) work in the context of Workload Identity Federation?
Open an interactive chat with Bash
Why is storing long-lived credentials outside Google Cloud considered a security risk?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .