Home › GCP Associate Cloud Engineer › cloudcomputing › gcpsecurity › Which approach gives a GKE workload SHORT-LIVED …
Which approach gives a GKE workload SHORT-LIVED credentials to access Google APIs WITHOUT mounting a service-account JSON key in the pod?
AGranting every pod `roles/owner` at the project level
BPasting service-account keys into Pod environment variables
CGKE Workload Identity (binds Kubernetes service accounts to Google service accounts)
DHard-coding service-account JSON keys into the container image
Answer & Solution
Correct answer: C. GKE Workload Identity (binds Kubernetes service accounts to Google service accounts)
Workload Identity is the recommended pattern — a Kubernetes SA federates to a Google SA, pods get short-lived tokens via the metadata server, no JSON keys to leak or rotate. The other options leak credentials or wildly over-permission.
Related questions
Which IAM principle does Google Cloud recommend when granting a service account access to Which Google Cloud feature provides a centralised reverse proxy that verifies the user's iAn organisation wants to enforce that only signed and approved container images can be depWorkload Identity Federation lets external (non-Google) identities (e.g. AWS IAM, GitHub AAn auditor needs to determine which user deleted a Cloud Storage bucket in a project last Which Google Cloud product stores secrets (API tokens, passwords, certificates) with versiWhich Google Cloud service centrally manages cryptographic keys (creation, rotation, destrService account impersonation lets a principal: