Google Cloud Professional Cloud Security Engineer Practice Exam

What is the most secure way to allow CI/CD pipelines access to Google Cloud resources?

• A. Utilize service account impersonation
• B. Configure workload identity federation
• C. Set up OAuth 2.0 authentication
• D. Enable API keys for access

The correct answer is: Configure workload identity federation

The most secure way to allow CI/CD pipelines access to Google Cloud resources is by configuring workload identity federation. This method enables secure access without the need to manage service account keys, which can be risky if they are improperly stored or exposed. Workload identity federation allows workloads running outside of Google Cloud, such as those in other cloud providers or on-premises environments, to authenticate to Google Cloud using existing identities. This eliminates the need to create long-lived service account keys, which can be a security vulnerability. Instead, federated identities can assume the permissions of a Google Cloud service account dynamically and only for the duration needed, reducing the attack surface. This method not only enhances security but also simplifies the management of access controls and minimizes the potential for credential leakage. Moreover, it takes advantage of existing identity and access management capabilities from identity providers, ensuring that access policies are upheld consistently across environments. In contrast, while service account impersonation is a secure method, it generally relies on accessing service account keys, which is less preferable than workload identity federation. OAuth 2.0 authentication is widely used for authorizing access to Google APIs but may not provide the same level of integrated security for CI/CD pipelines as workload identity federation. API keys are generally less secure than the