New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud DevOps Engineer Exam - Topic 5 Question 76 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 76
Topic #: 5
[All Professional Cloud DevOps Engineer Questions]

A third-party application needs to have a service account key to work properly When you try to export the key from your cloud project you receive an error "The organization policy constraint larn.disableServiceAccountKeyCreation is enforcedM You need to make the third-party application work while following Google-recommended security practices What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: C

The correct answer is C)

Confirming that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions is the best way to ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. This follows the Google-recommended practice of using service accounts to authenticate and authorize applications running on Google Cloud1. Service accounts are associated with private keys that can be used to generate access tokens for Google Cloud APIs2. By attaching a service account to the Jenkins VM instance, Terraform can use the Application Default Credentials (ADC) strategy to automatically find and use the service account credentials3.

Answer A is incorrect because the auth application-default command is used to obtain user credentials, not service account credentials. User credentials are not recommended for applications running on Google Cloud, as they are less secure and less scalable than service account credentials1.

Answer B is incorrect because it involves downloading and copying the secret key value of the service account, which is not a secure or reliable way of managing credentials. The secret key value should be kept private and not exposed to any other system or user2. Moreover, setting the GOOGLE environment variable on the Jenkins server is not a valid way of providing credentials to Terraform. Terraform expects the credentials to be either in a file pointed by the GOOGLE_APPLICATION_CREDENTIALS environment variable, or in a provider block with the credentials argument3.

Answer D is incorrect because it involves using the Terraform module for Secret Manager, which is a service that stores and manages sensitive data such as API keys, passwords, and certificates. While Secret Manager can be used to store and retrieve credentials, it is not necessary or sufficient for authorizing the Terraform Jenkins instance. The Terraform Jenkins instance still needs a service account with the appropriate IAM permissions to access Secret Manager and other Google Cloud resources.


by Ling at Sep 09, 2024, 07:14 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud DevOps Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Margart
3 months ago
Removing the policy sounds like a bad idea.
upvoted 0 times
...
Twana
3 months ago
Wait, can you really just change the policy like that?
upvoted 0 times
...
Lucia
4 months ago
I thought disabling policies was risky?
upvoted 0 times
...
Kara
4 months ago
Definitely go with option D! Makes the most sense.
upvoted 0 times
...
Lynelle
4 months ago
You can't create service account keys if the policy is enforced.
upvoted 0 times
...
Leila
4 months ago
I’m a bit confused about the organization policy. I thought we couldn’t just change it at the project level without affecting other projects.
upvoted 0 times
...
Reiko
4 months ago
I feel like enabling the default service account key might not be the best practice. We should avoid using default keys if possible, right?
upvoted 0 times
...
Brynn
5 months ago
I think option D sounds familiar from a practice question we did. It might be the right way to adjust the policy without compromising security.
upvoted 0 times
...
Vivienne
5 months ago
I remember studying about service account keys, but I'm not sure if we should just remove the policy entirely. That seems risky.
upvoted 0 times
...
Arthur
5 months ago
I'm a bit confused about the difference between disabling the policy at the project's folder versus adding a rule to set it to off in the project. I'll need to research the best way to approach this.
upvoted 0 times
...
Dexter
5 months ago
Okay, I think the key is to remove the policy at the organization level and then create a new key. That seems like the most straightforward approach while still following the security guidelines.
upvoted 0 times
...
Ronna
5 months ago
Hmm, the policy constraint is enforced, so I'm not sure if I can just enable the default service account key. I'll have to look into how to remove or disable that policy.
upvoted 0 times
...
Jess
5 months ago
This seems like a tricky one. I'll need to carefully read through the options and think about the recommended security practices.
upvoted 0 times
...
Blossom
5 months ago
The COBIT 2019 Design Guide sounds like it might be the right answer, since it's focused on designing the governance solution. I'll double-check the details, but that's my initial thought.
upvoted 0 times
...
Kendra
9 months ago
I'm feeling like a spy trying to bypass Google's security measures. But B seems like the stealthiest move. Shh, don't tell the admins!
upvoted 0 times
Sherrell
8 months ago
C: Agreed, let's keep it low-key and follow Google's security practices.
upvoted 0 times
...
Samuel
8 months ago
B: No, that might raise suspicion. I think we should go with option B.
upvoted 0 times
...
Georgeanna
9 months ago
A: Have you tried reaching out to the admins for assistance?
upvoted 0 times
...
...
Elouise
9 months ago
This question is a real head-scratcher. I'm tempted to go with D, but I think B is the way to go. Gotta love Google's policy shenanigans!
upvoted 0 times
...
Serina
9 months ago
Ha! The exam writers are really testing our understanding of Google's security practices. I'll go with B - it's the one that aligns best with their recommendations.
upvoted 0 times
...
Bok
10 months ago
Option C looks tempting, but disabling the policy at the project level might not be the best approach. I'd go with B.
upvoted 0 times
Annabelle
8 months ago
Let's go with Option B to make sure the third-party application works securely.
upvoted 0 times
...
Simona
8 months ago
I think it's better to follow Google's recommendations and go with Option B.
upvoted 0 times
...
Ernie
8 months ago
Let's go with option B to make sure we're keeping the third-party application secure.
upvoted 0 times
...
Titus
8 months ago
Option B seems like the safer choice to ensure security practices are followed.
upvoted 0 times
...
Emogene
9 months ago
Yeah, I think it's better to follow Google's security practices and not disable the policy.
upvoted 0 times
...
Alyssa
9 months ago
I agree, option B seems like the safer choice in this situation.
upvoted 0 times
...
Sylvie
9 months ago
I agree, disabling the policy at the project level could have unintended consequences.
upvoted 0 times
...
...
Cordelia
10 months ago
I think the answer is B. Removing the policy at the organization level seems like the most straightforward solution to allow key creation.
upvoted 0 times
Audry
9 months ago
You could try reaching out to Google support for guidance on how to proceed.
upvoted 0 times
...
Trevor
10 months ago
But wouldn't that compromise security? Maybe there's another way to make it work.
upvoted 0 times
...
Merilyn
10 months ago
I agree, removing the policy at the organization level should solve the issue.
upvoted 0 times
...
...
Twana
10 months ago
I'm feeling like a spy trying to bypass Google's security measures. But B seems like the stealthiest move. Shh, don't tell the admins!
upvoted 0 times
...
Kris
10 months ago
This question is a real head-scratcher. I'm tempted to go with D, but I think B is the way to go. Gotta love Google's policy shenanigans!
upvoted 0 times
Rickie
9 months ago
Yeah, Google's policies can be tricky to navigate sometimes.
upvoted 0 times
...
Scarlet
9 months ago
Let's go with B then, better to follow Google's security practices.
upvoted 0 times
...
Lyla
10 months ago
I agree, D seems tempting but B is the safer option.
upvoted 0 times
...
Rikki
10 months ago
I think B is the way to go.
upvoted 0 times
...
...
Daniela
11 months ago
Ha! The exam writers are really testing our understanding of Google's security practices. I'll go with B - it's the one that aligns best with their recommendations.
upvoted 0 times
Matt
9 months ago
User 2: Yeah, I agree. Let's go with B and remove the policy at the organization level.
upvoted 0 times
...
Corinne
9 months ago
User 1: I think B is the best option too. It aligns with Google's security practices.
upvoted 0 times
...
...
Bette
11 months ago
But wouldn't it be better to add a rule to turn off the policy and create a key?
upvoted 0 times
...
Shoshana
11 months ago
Option C looks tempting, but disabling the policy at the project level might not be the best approach. I'd go with B.
upvoted 0 times
Phuong
9 months ago
I agree, let's go with option B to ensure we follow Google-recommended security practices.
upvoted 0 times
...
Gennie
9 months ago
I see your point, but removing the organization policy constraint with option B seems like the safer choice.
upvoted 0 times
...
Corinne
10 months ago
But wouldn't it be better to enable the default service account key with option A?
upvoted 0 times
...
Denny
10 months ago
I think B is the best option here.
upvoted 0 times
...
...
Fabiola
11 months ago
I agree with Leigha, it's the safest option to follow Google's security practices.
upvoted 0 times
...
Lemuel
11 months ago
I think the answer is B. Removing the policy at the organization level seems like the most straightforward solution to allow key creation.
upvoted 0 times
...
Leigha
11 months ago
I think we should enable the default service account key and download it.
upvoted 0 times
...

Save Cancel