Topic 1 Question 200

Professional Cloud Developer

Topic 1 Question 200
You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam.serviceAccountTokenCreator Identity and Access Management (IAM) role and the necessary permissions to deploy the resources using Terraform. You want to set up your development environment to deploy the desired resources following Google-recommended best practices. What should you do?
- 1. Download the service account’s key file in JSON format, and store it locally on your laptop.
  2. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.
- 1. Run the following command from a command line: gcloud config set auth/impersonate_service_account [email protected].
  2. Set the GOOGLE_OAUTH_ACCESS_TOKEN environment variable to the value that is returned by the gcloud auth print-access-token command.
- 1. Run the following command from a command line: gcloud auth application-default login.
  2. In the browser window that opens, authenticate using your personal credentials.
- 1. Store the service account's key file in JSON format in Hashicorp Vault.
  2. Integrate Terraform with Vault to retrieve the key file dynamically, and authenticate to Vault using a short-lived access token.
ユーザの投票
コメント(8)
- 正解だと思う選択肢: B
  A&D assume that you download and store SA keys, which violates best practices, since you potentially loose control over what happens to those credentials and makes it impossible to track who actually uses the SA. D makes it even worse since it requires you to maintain you own secret management to minimize the risk.
  
  C does nothing that would give you the SA permissions you need.
  
  B follows best practices, since impersonation permissions can be managed transparently via IAM and via logs you can also see who impersonated/used the SA.
  
  👍 4
  Underverse2022/12/22
- 正解だと思う選択肢: B
  I think it's option B.
  
  The question already says that you have the role for impersonating the service account.
  
  This means that option B is a viable, as you can impersonate that service account, and get a token that has the required level of access to create resources.
  
  👍 2
  micoams2022/12/19
- 正解だと思う選択肢: B
  https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code Answer B not D
  
  👍 2
  TNT872023/01/04
シャッフルモード

ユーザの投票

コメント(8)