GCP Professional Cloud Security Engineer Practice Question
Your organization's build pipeline runs in GitHub Actions. The workflow must deploy updates to a Google Cloud project, but security policy forbids storing any long-lived Google Cloud credentials in the repository. You need to design an authentication mechanism that allows the GitHub runner to obtain the minimal, short-lived access it needs at build time. Which solution best meets these requirements?
Create a Workload Identity Pool, configure an OIDC provider that trusts GitHub's identity tokens, grant the external principal permission to impersonate a Google Cloud service account, and let the runner exchange its GitHub OIDC token with the Security Token Service for a short-lived access token.
Generate a JSON key for the required service account, encrypt the key with Cloud KMS, store it as a GitHub secret, and decrypt it during each workflow run.
Enable Cloud Identity federation with GitHub and map the runner to a Cloud Identity user that is granted the Project Owner role.
Attach the Compute Engine default service account to a Cloud Run job, trigger the job from GitHub over HTTPS, and forward the runner's OAuth token to authenticate.
Workload Identity Federation lets an external workload exchange a short-lived OIDC or SAML token issued by its native identity system for a Google-issued access token through the Security Token Service (STS). The correct approach is to create a Workload Identity Pool, add a provider that trusts GitHub's OIDC tokens, grant the external principal set the iam.workloadIdentityUser role on a Google Cloud service account, and have the runner call the STS endpoint to receive a temporary access token. The other options either rely on long-lived service account keys, misuse Cloud Identity federation for human users, or attempt to reuse Google-managed default service accounts, all of which violate the security policy or fail to provide the required federation capability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
What is the role of the Security Token Service (STS) in Workload Identity Federation?
Open an interactive chat with Bash
How does OIDC work within GitHub Actions for authentication to Google Cloud?
Open an interactive chat with Bash
What is a Workload Identity Pool?
Open an interactive chat with Bash
How does Workload Identity Federation improve security compared to storing service account keys?
Open an interactive chat with Bash
What role does GitHub's OIDC provider play in Workload Identity Federation?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .