Practice free →
HomeGCP Associate Cloud Engineercloudcomputinggcpsecurity › Which approach gives a GKE workload SHORT-LIVED …

Which approach gives a GKE workload SHORT-LIVED credentials to access Google APIs WITHOUT mounting a service-account JSON key in the pod?

AGranting every pod `roles/owner` at the project level
BPasting service-account keys into Pod environment variables
CGKE Workload Identity (binds Kubernetes service accounts to Google service accounts)
DHard-coding service-account JSON keys into the container image
Answer & Solution
Correct answer: C. GKE Workload Identity (binds Kubernetes service accounts to Google service accounts)
Workload Identity is the recommended pattern — a Kubernetes SA federates to a Google SA, pods get short-lived tokens via the metadata server, no JSON keys to leak or rotate. The other options leak credentials or wildly over-permission.
Solve this in the app — GCP Associate Cloud Engineer practice & 24k+ MCQs →
Related questions