GCP Professional Cloud Security Engineer Practice Question
Your security team wants to eliminate the long-lived Google Cloud service account keys currently stored as Kubernetes secrets in an AWS EKS cluster. The applications running in that cluster must still upload objects to a Cloud Storage bucket in your Google Cloud project. You need a solution that follows Google's recommended practices, keeps credentials short-lived, and minimizes operational overhead. What should you do?
Generate a new user-managed service account key, encrypt it with AWS KMS, store it in AWS Secrets Manager, and decrypt it at container start-up.
Make the Cloud Storage bucket public and require the application to use signed URLs produced by a helper service in Google Cloud for uploads.
Enable GKE Workload Identity in the Google Cloud project and label the EKS pods with the target Google service account to transparently obtain tokens.
Create a Workload Identity Pool with an AWS provider, map the EKS cluster's IAM role to a Google Cloud service account with the required Storage roles, and let workloads obtain short-lived tokens through Application Default Credentials.
The recommended pattern is to adopt Workload Identity Federation. By creating a workload identity pool with an AWS provider, you can establish trust between specific AWS IAM roles and a Google Cloud service account. The application running in EKS exchanges its AWS temporary credentials for short-lived OAuth 2.0 access tokens tied to the Google service account, eliminating the need to create, distribute, or store user-managed service account keys. Google Kubernetes Engine's Workload Identity only works for GKE clusters, not EKS. Encrypting and distributing a new key still relies on long-lived credentials and adds operational burden. Making the bucket public and relying on signed URLs both exposes data and bypasses IAM, violating least-privilege principles.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does Application Default Credentials (ADC) work with external systems like AWS?
Open an interactive chat with Bash
Why are long-lived service account keys considered a security risk?
Open an interactive chat with Bash
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does a workload obtain short-lived tokens using Application Default Credentials?
Open an interactive chat with Bash
Why is GKE Workload Identity not applicable to AWS EKS clusters?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .