Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

Your organization runs hundreds of microservices across three GKE projects. The platform team is enabling mutual TLS and will use cert-manager to obtain workload certificates from a centrally managed CAS deployment. Requirements: 1) keep a single root of trust, 2) cert-manager service accounts must request and renew certificates yet never disable, delete, or modify CAs, 3) apply least-privilege IAM. Which IAM role should you grant each cert-manager service account on the relevant CA Pool (or its subordinate CAs) to satisfy these constraints?

  • Grant roles/viewer and let cert-manager impersonate a Cloud KMS key to sign CSRs programmatically.

  • Grant roles/privateca.admin to the cert-manager service accounts at the project level that hosts the CAS deployment.

  • Grant roles/privateca.caManager to each cert-manager service account on every Certificate Authority in the pool.

  • Grant roles/privateca.certificateRequester to each cert-manager service account on the relevant CA Pool or subordinate CAs.

GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot