Exam Professional Cloud DevOps Engineer topic 1 question 150 discussion

Answer is B: https://cloud.google.com/run/docs/configuring/services/secrets "Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation."

(Option B) By storing the password in Secret Manager and mounting the secret as a volume within the application, you can achieve password rotation without causing downtime. This allows you to update the password in Secret Manager, and Cloud Run can dynamically mount the latest version of the secret without requiring a redeployment of the application. This approach ensures that the application always has access to the latest password without interrupting its availability, providing a seamless and secure way to manage password rotation in a Cloud Run environment. Storing sensitive information like passwords in Secret Manager enhances security and separation of concerns.

I think is B for this "Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation. Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest." https://cloud.google.com/run/docs/configuring/services/secrets

You can make a secret available to your containers in either of two ways: Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation. Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest. https://cloud.google.com/run/docs/configuring/services/secrets

answer is A: If you are exposing the secret as an environment variable: Supply the Name of the variable and select the secret version, or latest to always use the current secret version.

Answer is A The best solution is to store the password in Secret Manager and send the secret to the application by using environment variables. This will allow you to rotate the password without having to rebuild and deploy the application each time.

Answer is B https://cloud.google.com/run/docs/configuring/services/secrets