Topic 1 Question 337
You are deploying a microservices application to GKE. One microservice needs to download files from a Cloud Storage bucket. You have an IAM service account with the Storage Object Viewer role on the project with the bucket. You need to configure your application to access the Cloud Storage bucket while following Google-recommended practices. What should you do?
Assign the IAM service account to the cluster’s node pool. Configure the application to authenticate to the bucket by using Application Default Credentials.
Assign the IAM service account to the cluster’s node pool. Encrypt the IAM service account key file by using a symmetric block cipher, and store the encrypted file on a persistent volume. Store the encryption key in Secret Manager.
Create a Kubernetes service account. Create a Kubernetes secret with a base64-encoded IAM service account key file. Annotate the Kubernetes secret with the Kubernetes service account. Assign the Kubernetes ServiceAccount to the Pods that need to access the bucket.
Create a Kubernetes service account. Use an IAM policy to bind the IAM service account to a Kubernetes service account. Annotate the Kubernetes ServiceAccount object with the name of the bound IAM service account. Assign the Kubernetes ServiceAccount to the Pods that need to access the bucket.
ユーザの投票
コメント(1)
- 正解だと思う選択肢: D
Workload Identity is the Google-recommended best practice for securely accessing Google Cloud resources from GKE. By creating a Kubernetes service account and binding it to the IAM service account (using an IAM policy binding), you avoid the need to manage service account keys. This setup securely propagates credentials to your Pods, ensuring they can access the Cloud Storage bucket without exposing sensitive keys. This approach minimizes operational overhead while following the principle of least privilege.
👍 1Sandesh242025/03/01
シャッフルモード