Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. You want to distribute these credentials to the host instances as securely as possible.
What should you do?
Using the instance's service account Application Default Credentials (ADC) is the most secure method for distributing credentials to the host instances. This allows the instance to automatically authenticate with the required resources using the instance's built-in service account. By leveraging ADC, you eliminate the need to store credentials on the instance or transmit them over the network, significantly reducing the risk of exposure or compromise. This method also simplifies management by removing the need for manual setup steps.
Answer is B https://cloud.google.com/docs/authentication/production#automatically If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code.
B. Use the instance's service account Application Default Credentials to authenticate to the required resources. Using the instance's service account Application Default Credentials is the most secure method for distributing credentials to the host instances. This method allows the instance to automatically authenticate with the required resources using the instance's built-in service account, without requiring the credentials to be stored on the instance or transmitted over the network. This eliminates the risk of the credentials being compromised or exposed. Additionally, this method is the most convenient, as it requires no manual steps to set up the credentials on the instance.
I think B is correct
"authenticated to GCP" is the key part of the qn https://cloud.google.com/iam/docs/creating-managing-service-account-keys: "To use a service account from outside of Google Cloud, such as on other platforms or on-premises, you must first establish the identity of the service account" "You can create service account keys in JSON or PKCS#12 (P12) format. " C is the answer
https://cloud.google.com/compute/docs/api/how-tos/authorization: "If you run applications on your Compute Engine instances, application default credentials can get credentials through built-in service accounts" Answer is B not C
The most secure approach is B. Use the instance's service account Application Default Credentials to authenticate to the required resources. Here's why: Application Default Credentials (ADC): ADC is a Google Cloud feature that allows applications running on Google Cloud to automatically authenticate using the service account associated with the instance. This eliminates the need to store credentials directly on the instance, reducing security risks. No Manual Credential Management: ADC handles authentication automatically, eliminating the need to manually manage credentials, which can be error-prone and introduce security vulnerabilities. Key Rotation: Google Cloud automatically rotates service account keys, further enhancing security.
Let's look at why the other options are less secure: A. Use HTTP signed URLs to securely provide access to the required resources: HTTP signed URLs are useful for providing temporary access to specific resources, but they don't address the core issue of securely storing and managing service account credentials. C. Generate a P12 file from the GCP Console after the instance is deployed and copy the credentials to the host instance before starting the application: This approach requires storing credentials on the instance, which is a security risk. It also introduces manual steps that can be error-prone. D. Commit the credential JSON file into your application's source repository and have your CI/CD process package it with the software that is deployed to the instance: This is a major security risk. Storing credentials in source code exposes them to anyone with access to the repository.
This approach ensures that the credentials are securely managed and automatically provided to the instances when needed.
Option B is Correct: This approach ensures that the credentials are securely managed and automatically provided to the instances when needed.
Answer B because best practice is to not store file with account service information when possible. With compute engine, the account service of the vm can be used to call google api if the roles are added to this account service.
I'm also considering this part -- "distribute these credentials to the host instances as securely as possible" This falls under B.
Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. The application requires the credentials to be stored on the VM instance, so I think the application code points to a file stored in the Instance.
Only C sounds right