You need to authenticate applications between GCP services without storing credentials. What should you use?

  1. Service accounts with JSON keys
  2. Service accounts with Workload Identity ✓
  3. Hardcoded API keys
  4. Basic HTTP authentication

Correct answer: Service accounts with Workload Identity

Option B is correct because Workload Identity for GCP service accounts allows Kubernetes pods running in GKE to impersonate a Google service account without downloading and storing long-lived JSON key files, which eliminates a significant credential management and exfiltration risk by using short-lived, automatically rotated tokens. Option A is wrong because service accounts with JSON key files require the key to be stored as a Kubernetes secret or embedded in the application, creating a persistent credential that can be exfiltrated and is difficult to rotate quickly if compromised. Option C is incorrect because hardcoded API keys are a severe security anti-pattern, violating least-privilege and rotation requirements, and are explicitly flagged as a critical vulnerability in secure coding guidance. Option D is wrong because basic HTTP authentication transmits credentials in Base64-encoded form, is unsuitable for service-to-service authentication within GCP, and provides no integration with IAM policies.

Topic: · workload identity, gke, service accounts, gcp security

Practice Google Cloud Professional Cloud Architect Questions Free