You are deploying an application to Cloud Run. The application requires a password to start. Your organization requires that all passwords are rotated every 24 hours, and your application must have the latest password. You need to deploy the application with no downtime. What should you do?
A. Store the password in Secret Manager and send the secret to the application by using environment variables.
B. Store the password in Secret Manager and mount the secret as a volume within the application.
C. Use Cloud Build to add your password into the application container at build time. Ensure that Artifact Registry is secured from public access.
D. Store the password directly in the code. Use Cloud Build to rebuild and deploy the application each time the password changes.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
B
Explanation
A. Store the password in Secret Manager and send the secret to the application by using environment variables.
(You can’t send without mounting secret manager path.)
B. Store the password in Secret Manager and mount the secret as a volume within the application.
(https://cloud.google.com/run/docs/configuring/services/secrets
“Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation.”)
C. Use Cloud Build to add your password into the application container at build time. Ensure that Artifact Registry is secured from public access.
(Not a secure way, since there is a possibility of security breach if container is compromised.)
D. Store the password directly in the code. Use Cloud Build to rebuild and deploy the application each time the password changes.
(Definitely not an option, and secure method.)