Google Exam Professional Cloud Developer Topic 5 Question 108 Discussion

Actual exam question for Google's Professional Cloud Developer exam

Question #: 108
Topic #: 5

[All Professional Cloud Developer Questions]

You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam.serviceAccountTokenCreator Identity and Access Management (IAM) role and the necessary permissions to deploy the resources using Terraform. You want to set up your development environment to deploy the desired resources following Google-recommended best practices. What should you do?

A1) Download the service account's key file in JSON format, and store it locally on your laptop.
2) Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.

B1) Run the following command from a command line: gcloud config set auth/impersonate_service_account service-account-name@project.iam.gserviceacccount.com.
2) Set the GOOGLE_OAUTH_ACCESS_TOKEN environment variable to the value that is returned by the gcloud auth print-access-token command.

C1) Run the following command from a command line: gcloud auth application-default login.
2) In the browser window that opens, authenticate using your personal credentials.

D1) Store the service account's key file in JSON format in Hashicorp Vault.
2) Integrate Terraform with Vault to retrieve the key file dynamically, and authenticate to Vault using a short-lived access token.

Show Suggested Answer

Suggested Answer: D

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#file-system

Whenever possible, avoid storing service account keys on a file system. If you can't avoid storing keys on disk, make sure to restrict access to the key file, configure file access auditing, and encrypt the underlying disk.

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#software-keystore

In situations where using a hardware-based key store isn't viable, use a software-based key store to manage service account keys. Similar to hardware-based options, a software-based key store lets users or applications use service account keys without revealing the private key. Software-based key store solutions can help you control key access in a fine-grained manner and can also ensure that each key access is logged.

by Tequila at Jul 09, 2025, 02:02 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Developer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Cordelia

9 days ago

Authenticating with my personal credentials? That doesn't sound right, this is supposed to be a service account deployment.

upvoted 0 times

...

Zena

17 days ago

Impersonating the service account using gcloud? That's an interesting approach, but I wonder if it's really the recommended best practice.

upvoted 0 times

...

Basilia

19 days ago

Option A looks straightforward, but downloading the service account key file locally doesn't seem very secure. Hmm, maybe there's a better way.

upvoted 0 times

Willard

7 days ago

D) Store the service account's key file in JSON format in Hashicorp Vault. Integrate Terraform with Vault to retrieve the key file dynamically, and authenticate to Vault using a short-lived access token.

upvoted 0 times

...

Paris

12 days ago

C) Run the following command from a command line: gcloud auth application-default login. In the browser window that opens, authenticate using your personal credentials.

upvoted 0 times

...

Edna

12 days ago

A) Download the service account's key file in JSON format, and store it locally on your laptop. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.

upvoted 0 times

...