GCP Professional Cloud Security Engineer Practice Question
Your security team reviews a new GKE cluster that will run several workloads. All Pods currently use the cluster's default Compute Engine service account, which still holds the Project Editor role. Front-end Pods only need to write logs to Cloud Logging and read one Secret Manager secret. Background worker Pods need to read and write objects in a single Cloud Storage bucket and publish to one Pub/Sub topic. To meet Google-recommended least-privilege practices for service accounts, what should you recommend?
Keep the default Compute Engine service account but replace the Editor role with Logging Admin, Secret Manager Secret Accessor, Storage Object Admin, and Pub/Sub Publisher roles at the project level.
Delete the default Compute Engine service account and run the node pool with no service account; instead, add the required legacy OAuth scopes to the nodes so Pods can call Google APIs directly.
Enable Workload Identity Federation and let all Pods impersonate the Cloud Build service account, which already has wide permissions; leave the default Compute Engine service account unchanged.
Create two new Google service accounts-one for the front-end Pods and one for the worker Pods-grant each only the needed roles, map the corresponding KSAs to these GSAs with Workload Identity, and disable the default Compute Engine service account.
Google advises against sharing the automatically created Compute Engine default service account because it encourages privilege accumulation and complicates auditing. A better design is to create one dedicated service account per independent workload, grant each only the roles its code requires, and connect the Kubernetes service account (KSA) for each Pod to its matching Google service account (GSA) through Workload Identity. With this in place, the default Compute Engine service account can be disabled so that no workload can accidentally run with broad, unnecessary permissions. Simply stripping the Editor role from the default account still violates the recommendation to avoid multi-purpose accounts, impersonating another powerful service account keeps excessive permissions, and deleting the default account or relying on node-level scopes would break workloads and reduce security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why is the default Compute Engine service account not recommended for workloads?
Open an interactive chat with Bash
How does using Kubernetes service accounts (KSAs) improve security in GKE?
Open an interactive chat with Bash
What is Workload Identity in GKE?
Open an interactive chat with Bash
Why should the default Compute Engine service account be avoided for workloads?
Open an interactive chat with Bash
What steps are involved in setting up least-privilege accounts for Pods in GKE?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .