Exam Professional Cloud Developer topic 1 question 200 discussion

A&D assume that you download and store SA keys, which violates best practices, since you potentially loose control over what happens to those credentials and makes it impossible to track who actually uses the SA. D makes it even worse since it requires you to maintain you own secret management to minimize the risk. C does nothing that would give you the SA permissions you need. B follows best practices, since impersonation permissions can be managed transparently via IAM and via logs you can also see who impersonated/used the SA.

Application Default Credentials (ADC): gcloud auth application-default login sets up the Application Default Credentials (ADC) which are a secure way to authenticate applications running on Google Cloud. Minimal Permissions: Your Cloud Identity already has the necessary permissions (roles/iam.serviceAccountTokenCreator) to create service account tokens and the required permissions to deploy resources using Terraform. Security Best Practices: Using ADC avoids storing the service account key file locally on your laptop, which minimizes the risk of exposure and adheres to security best practices.

https://cloud.google.com/docs/authentication/use-service-account-impersonation https://medium.com/bluetuple-ai/terraform-remote-state-on-gcp-d50e2f69b967

B is the correct Answer

B is correct.

B is the best option here. D is more complicated. A & C do not follow google best practices.

B 1. impersonation 2. securely set up env variable that will be used by terraform to deploy

I think its A

Answer is B https://cloud.google.com/sdk/gcloud/reference/config/set#impersonate_service_account

https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code Answer B not D

https://cloud.google.com/docs/terraform/best-practices-for-terraform#default-credhttps://cloud.google.com/docs/terraform/best-practices-for-terraform#storing-secrets Answer D.

I think it's option B. The question already says that you have the role for impersonating the service account. This means that option B is a viable, as you can impersonate that service account, and get a token that has the required level of access to create resources.

D is the answer. https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#file-system Whenever possible, avoid storing service account keys on a file system. If you can't avoid storing keys on disk, make sure to restrict access to the key file, configure file access auditing, and encrypt the underlying disk. https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#software-keystore In situations where using a hardware-based key store isn't viable, use a software-based key store to manage service account keys. Similar to hardware-based options, a software-based key store lets users or applications use service account keys without revealing the private key. Software-based key store solutions can help you control key access in a fine-grained manner and can also ensure that each key access is logged.