Google Exam Professional Cloud DevOps Engineer Topic 4 Question 86 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam

Question #: 86
Topic #: 4

[All Professional Cloud DevOps Engineer Questions]

Your uses Jenkins running on Google Cloud VM instances for CI/CD. You need to extend the functionality to use infrastructure as code automation by using Terraform. You must ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. You want to follow Google-recommended practices- What should you do?

AAdd the auth application-default command as a step in Jenkins before running the Terraform commands.

BCreate a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.

CConfirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.

Duse the Terraform module so that Secret Manager can retrieve credentials.

Show Suggested Answer

Suggested Answer: C

The correct answer is C)

Confirming that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions is the best way to ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. This follows the Google-recommended practice of using service accounts to authenticate and authorize applications running on Google Cloud1. Service accounts are associated with private keys that can be used to generate access tokens for Google Cloud APIs2. By attaching a service account to the Jenkins VM instance, Terraform can use the Application Default Credentials (ADC) strategy to automatically find and use the service account credentials3.

Answer A is incorrect because the auth application-default command is used to obtain user credentials, not service account credentials. User credentials are not recommended for applications running on Google Cloud, as they are less secure and less scalable than service account credentials1.

Answer B is incorrect because it involves downloading and copying the secret key value of the service account, which is not a secure or reliable way of managing credentials. The secret key value should be kept private and not exposed to any other system or user2. Moreover, setting the GOOGLE environment variable on the Jenkins server is not a valid way of providing credentials to Terraform. Terraform expects the credentials to be either in a file pointed by the GOOGLE_APPLICATION_CREDENTIALS environment variable, or in a provider block with the credentials argument3.

Answer D is incorrect because it involves using the Terraform module for Secret Manager, which is a service that stores and manages sensitive data such as API keys, passwords, and certificates. While Secret Manager can be used to store and retrieve credentials, it is not necessary or sufficient for authorizing the Terraform Jenkins instance. The Terraform Jenkins instance still needs a service account with the appropriate IAM permissions to access Secret Manager and other Google Cloud resources.

by Mabel at Jan 21, 2025, 11:56 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud DevOps Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Dianne

2 months ago

I personally prefer option D because it utilizes Secret Manager for credential retrieval, which adds an extra layer of security.

upvoted 0 times

...

Rebbecca

2 months ago

That's a good point, but I still think option B provides more control over the Terraform instance.

upvoted 0 times

...

Felicidad

2 months ago

I'm going with B. It's the Google-recommended practice, and it's better to be safe with credentials than sorry.

upvoted 0 times

Chaya

25 days ago

I think both options are important for security measures.

upvoted 0 times

...

Dong

1 months ago

C) Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.

upvoted 0 times

...

Irma

1 months ago

That sounds like a secure way to handle credentials.

upvoted 0 times

...

Giuseppe

1 months ago

B) Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.

upvoted 0 times

...

Ira

2 months ago

D seems like an overly complicated approach. Why use Secret Manager when you can just set the environment variable?

upvoted 0 times

...

Hoa

2 months ago

C looks good to me. If the Jenkins VM has the right IAM permissions, that should be the easiest solution.

upvoted 0 times

Alexia

7 days ago

User4: I'm leaning towards option C as well. If the Jenkins VM already has the right IAM permissions, it would be the most straightforward choice.

upvoted 0 times

...

Precious

8 days ago

User3: I think we should consider option B) Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.

upvoted 0 times

...

Lettie

9 days ago

User2: I agree with User1, but option C) Confirm that the Jenkins VM instance has an attached service account with the appropriate IAM permissions seems like a simpler solution.

upvoted 0 times

...

Clarence

1 months ago

User1: I think we should go with option A) Add the auth application-default command as a step in Jenkins before running the Terraform commands.

upvoted 0 times

...

Nan

2 months ago

I disagree, I believe option C is the way to go as it directly checks the IAM permissions on the Jenkins VM instance.

upvoted 0 times

...

Aja

2 months ago

I think the answer is B. Creating a dedicated service account and using the environment variable is the safest and most recommended approach.

upvoted 0 times

Kristel

1 months ago

C) Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.

upvoted 0 times

...

Tran

2 months ago

B) Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.

upvoted 0 times

...

Rebbecca

3 months ago

I think option B is the best choice because it ensures security by using a dedicated service account.

upvoted 0 times

...