Exam DOP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 239

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to deploy its web applications on containers. The web applications contain confidential data that cannot be decrypted without specific credentials.

A DevOps engineer has stored the credentials in AWS Secrets Manager. The secrets are encrypted by an AWS Key Management Service (AWS KMS) customer managed key. A Kubernetes service account for a third-party tool makes the secrets available to the applications. The service account assumes an IAM role that the company created to access the secrets.

The service account receives an Access Denied (403 Forbidden) error while trying to retrieve the secrets from Secrets Manager.

What is the root cause of this issue?

    Correct Answer: B

    The root cause of the issue is that the key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key. In this scenario, the credentials stored in AWS Secrets Manager are encrypted using a customer managed key in AWS KMS. For the Kubernetes service account to retrieve these secrets, the IAM role that it assumes must have the necessary permissions in the key policy of the customer managed key. If the key policy does not permit this IAM role to use the key, the service account will receive an Access Denied error when attempting to access the secrets.

Discussion
tgv

---> B

trungtdOption: B

The IAM role assumed by the Kubernetes service account, not the EKS cluster IAM role => C is wrong