GCP Professional Cloud Security Engineer Practice Question
Your organization's GitHub Actions pipeline builds container images and pushes them to Artifact Registry in a Google Cloud project. The workflow currently authenticates with a JSON key for a user-managed service account, but new policy mandates that no long-lived Google-issued credential may exist outside Google Cloud. Short-lived OAuth 2.0 access tokens (≤1 hour) must be generated just-in-time from the workflow without human interaction. Which solution best meets these requirements while respecting least privilege?
Place Artifact Registry into a VPC Service Controls perimeter and add the GitHub runners' IP range to an access level, removing the need for service account credentials during image pushes.
Create a workload identity pool with a GitHub OIDC provider and allow the pool to impersonate a minimally scoped service account, so the workflow exchanges its GitHub OIDC token for a short-lived Google Cloud access token at runtime.
Store the existing JSON service-account key in Secret Manager and configure the workflow to fetch the key at runtime, rotating the key every seven days with Cloud Scheduler.
Run gcloud auth application-default login locally, commit the generated Application Default Credentials file that contains a refresh token, and let the workflow exchange the refresh token for one-hour access tokens when needed.
Workload Identity Federation lets external workloads (including GitHub Actions) exchange an external OIDC token for a short-lived Google Cloud access token, eliminating the need to store a service-account key. When you create a workload identity pool and a GitHub provider, GitHub issues an OIDC token at build time that Google's Security Token Service exchanges for an access token valid for up to one hour. Granting the pool permission to impersonate a narrowly scoped service account maintains least privilege. Using a gcloud-generated refresh token would leave a long-lived credential in the repository, violating policy. VPC Service Controls protect against data exfiltration but do not provide authentication. Storing and rotating the JSON key in Secret Manager still relies on a long-lived key and does not meet the short-lived-credential requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How do OIDC tokens work in GitHub Actions pipelines?
Open an interactive chat with Bash
What is the Security Token Service (STS) in Google Cloud?
Open an interactive chat with Bash
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does impersonating a minimally scoped service account support least privilege?
Open an interactive chat with Bash
What is the difference between using a JSON key and short-lived OAuth 2.0 tokens for authentication?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .