ExpertMedium1 markMultiple Choice
GCP PCA · Question 26 · Domain 2: Managing and Provisioning a Solution Infrastructure
A pod running in GKE needs to access a Cloud Storage bucket. You want to follow the principle of least privilege and avoid managing service account keys manually. What is the recommended approach?
A pod running in GKE needs to access a Cloud Storage bucket. You want to follow the principle of least privilege and avoid managing service account keys manually. What is the recommended approach?
Answer options:
A.
Export a JSON key and store it in a Kubernetes Secret.
B.
Assign the required IAM role to the GKE Node's underlying Compute Engine service account.
C.
Use Workload Identity to bind a Kubernetes Service Account to a Google Service Account.
D.
Make the Cloud Storage bucket public.
How to approach this question
Identify the modern way to grant GCP permissions to GKE pods.
Full Answer
C.Use Workload Identity to bind a Kubernetes Service Account to a Google Service Account.✓ Correct
Workload Identity is the recommended way to access Google Cloud services from applications running within GKE, allowing pod-level granularity without managing JSON keys.
Common mistakes
Using the node service account, which grants permissions to all pods on that node.
Practice the full GCP Professional Cloud Architect Practice Exam 2
50 questions · hints · full answers · grading
More questions from this exam
Q01CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...MediumQ02CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...MediumQ03CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...HardQ04CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...MediumQ05CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...Easy