You are creating a CI/CD pipeline to perform Terraform deployments of Google Cloud resources. Your CI/CD tooling is running in Google Kubernetes Engine (GKE) and uses an ephemeral Pod for each pipeline run. You must ensure that the pipelines that run in the Pods have the appropriate Identity and Access Management (IAM) permissions to perform the Terraform deployments. You want to follow Google-recommended practices for identity management. What should you do? (Choose two.)
A. Create a new Kubernetes service account, and assign the service account to the Pods. Use Workload Identity to authenticate as the Google service account.
B. Create a new JSON service account key for the Google service account, store the key as a Kubernetes secret, inject the key into the Pods, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
C. Create a new Google service account, and assign the appropriate IAM permissions.
D. Create a new JSON service account key for the Google service account, store the key in the secret management store for the CI/CD tool, and configure Terraform to use this key for authentication.
E. Assign the appropriate IAM permissions to the Google service account associated with the Compute Engine VM instances that run the Pods.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
A, C
Explanation
A. Create a new Kubernetes service account, and assign the service account to the Pods. Use Workload Identity to authenticate as the Google service account.
(Suggests creating a new Kubernetes service account and assigning it to the Pods. This service account is then associated with a Google service account using Workload Identity. This setup enables seamless authentication of Pods as the specified Google service account without relying on manual management of service account keys.)
B. Create a new JSON service account key for the Google service account, store the key as a Kubernetes secret, inject the key into the Pods, and set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
C. Create a new Google service account, and assign the appropriate IAM permissions.
(Complements the approach by emphasizing the creation of a new Google service account and assigning the necessary IAM permissions. While the Kubernetes service account establishes the identity within the GKE cluster, the Google service account is associated with the underlying Google Cloud resources, ensuring that the appropriate permissions are granted for Terraform deployments.)
D. Create a new JSON service account key for the Google service account, store the key in the secret management store for the CI/CD tool, and configure Terraform to use this key for authentication.
E. Assign the appropriate IAM permissions to the Google service account associated with the Compute Engine VM instances that run the Pods.