Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud Developer Exam - Topic 5 Question 108 Discussion

Actual exam question for Google's Professional Cloud Developer exam
Question #: 108
Topic #: 5
[All Professional Cloud Developer Questions]

You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam.serviceAccountTokenCreator Identity and Access Management (IAM) role and the necessary permissions to deploy the resources using Terraform. You want to set up your development environment to deploy the desired resources following Google-recommended best practices. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: D

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#file-system

Whenever possible, avoid storing service account keys on a file system. If you can't avoid storing keys on disk, make sure to restrict access to the key file, configure file access auditing, and encrypt the underlying disk.

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#software-keystore

In situations where using a hardware-based key store isn't viable, use a software-based key store to manage service account keys. Similar to hardware-based options, a software-based key store lets users or applications use service account keys without revealing the private key. Software-based key store solutions can help you control key access in a fine-grained manner and can also ensure that each key access is logged.


by Tequila at Jul 09, 2025, 02:02 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Developer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Glynda
5 months ago
D sounds cool, but isn't it overkill for most projects?
upvoted 0 times
...
Gladis
5 months ago
Wait, can you really use personal credentials for C? That seems risky.
upvoted 0 times
...
Gwen
6 months ago
I think B is better for security reasons.
upvoted 0 times
...
Jesse
6 months ago
A is definitely the standard practice here.
upvoted 0 times
...
Kati
6 months ago
A is the way to go! Simple and effective.
upvoted 0 times
...
Annmarie
6 months ago
I vaguely remember something about using Hashicorp Vault in option D, but I’m not confident about the integration steps with Terraform.
upvoted 0 times
...
Wenona
7 months ago
I feel like option C is too focused on personal credentials, which doesn't align with the best practices we studied about using service accounts.
upvoted 0 times
...
Bong
7 months ago
I think option B sounds familiar; we practiced using gcloud commands to impersonate service accounts, but I can't recall if that's the right approach for Terraform.
upvoted 0 times
...
Venita
7 months ago
I remember we discussed the importance of using service accounts for authentication, but I'm not sure if downloading the key file is the best practice.
upvoted 0 times
...
Gaston
7 months ago
I like the idea of using Vault in option D. That would provide a more secure way to manage the service account credentials. But you're right, it might be a bit complex for this particular exam question. I'll keep that in mind for future scenarios where security is a bigger concern.
upvoted 0 times
...
Yvonne
7 months ago
Option C is interesting, but I'm not sure if using my personal credentials is the best practice here. Shouldn't we be using the service account to authenticate instead? I'll have to double-check the requirements on that.
upvoted 0 times
...
Ligia
8 months ago
Hmm, I'm a bit confused. Option B talks about impersonating the service account, which I'm not sure I fully understand. And option D with Vault seems a bit overkill for this scenario. I'll need to read through the details more carefully.
upvoted 0 times
...
Bulah
8 months ago
This question seems straightforward. I think option A is the way to go - downloading the service account key file and setting the environment variable. Seems like the simplest and most direct approach.
upvoted 0 times
...
Bette
10 months ago
I'm not sure, but option C seems like a good option too. It involves authentication using personal credentials.
upvoted 0 times
...
Pansy
10 months ago
I disagree, I believe option D is better. It adds an extra layer of security with Hashicorp Vault.
upvoted 0 times
...
Tenesha
10 months ago
Downloading a key file? What is this, the Dark Ages? Let's use the cloud, people!
upvoted 0 times
...
Chandra
10 months ago
I think option A is the best choice. It's simple and straightforward.
upvoted 0 times
...
Graciela
10 months ago
Now we're talking! Storing the key in a secure vault and using a short-lived token, that's the way to go. Google would approve of that.
upvoted 0 times
Dustin
8 months ago
D) Store the service account's key file in JSON format in Hashicorp Vault.
upvoted 0 times
...
Judy
10 months ago
A) Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.
upvoted 0 times
...
Winfred
10 months ago
A) Download the service account's key file in JSON format, and store it locally on your laptop.
upvoted 0 times
...
...
Cordelia
11 months ago
Authenticating with my personal credentials? That doesn't sound right, this is supposed to be a service account deployment.
upvoted 0 times
Ivan
9 months ago
D) Store the service account's key file in JSON format in Hashicorp Vault. Integrate Terraform with Vault to retrieve the key file dynamically, and authenticate to Vault using a short-lived access token.
upvoted 0 times
...
Huey
9 months ago
C) Run the following command from a command line: gcloud auth application-default login. In the browser window that opens, authenticate using your personal credentials.
upvoted 0 times
...
Jolanda
9 months ago
A) Download the service account's key file in JSON format, and store it locally on your laptop. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.
upvoted 0 times
...
Rima
10 months ago
B) Run the following command from a command line: gcloud config set auth/impersonate_service_account service-account-name@project.iam.gserviceacccount.com.
upvoted 0 times
...
Ashlyn
10 months ago
A) Download the service account's key file in JSON format, and store it locally on your laptop.
upvoted 0 times
...
...
Zena
11 months ago
Impersonating the service account using gcloud? That's an interesting approach, but I wonder if it's really the recommended best practice.
upvoted 0 times
...
Basilia
11 months ago
Option A looks straightforward, but downloading the service account key file locally doesn't seem very secure. Hmm, maybe there's a better way.
upvoted 0 times
Willard
10 months ago
D) Store the service account's key file in JSON format in Hashicorp Vault. Integrate Terraform with Vault to retrieve the key file dynamically, and authenticate to Vault using a short-lived access token.
upvoted 0 times
...
Paris
11 months ago
C) Run the following command from a command line: gcloud auth application-default login. In the browser window that opens, authenticate using your personal credentials.
upvoted 0 times
...
Edna
11 months ago
A) Download the service account's key file in JSON format, and store it locally on your laptop. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.
upvoted 0 times
...
...

Save Cancel