Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Google Exam Professional-Cloud-DevOps-Engineer Topic 2 Question 69 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 69
Topic #: 2
[All Professional Cloud DevOps Engineer Questions]

Your uses Jenkins running on Google Cloud VM instances for CI/CD. You need to extend the functionality to use infrastructure as code automation by using Terraform. You must ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. You want to follow Google-recommended practices- What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: C

The correct answer is C)

Confirming that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions is the best way to ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. This follows the Google-recommended practice of using service accounts to authenticate and authorize applications running on Google Cloud1. Service accounts are associated with private keys that can be used to generate access tokens for Google Cloud APIs2. By attaching a service account to the Jenkins VM instance, Terraform can use the Application Default Credentials (ADC) strategy to automatically find and use the service account credentials3.

Answer A is incorrect because the auth application-default command is used to obtain user credentials, not service account credentials. User credentials are not recommended for applications running on Google Cloud, as they are less secure and less scalable than service account credentials1.

Answer B is incorrect because it involves downloading and copying the secret key value of the service account, which is not a secure or reliable way of managing credentials. The secret key value should be kept private and not exposed to any other system or user2. Moreover, setting the GOOGLE environment variable on the Jenkins server is not a valid way of providing credentials to Terraform. Terraform expects the credentials to be either in a file pointed by the GOOGLE_APPLICATION_CREDENTIALS environment variable, or in a provider block with the credentials argument3.

Answer D is incorrect because it involves using the Terraform module for Secret Manager, which is a service that stores and manages sensitive data such as API keys, passwords, and certificates. While Secret Manager can be used to store and retrieve credentials, it is not necessary or sufficient for authorizing the Terraform Jenkins instance. The Terraform Jenkins instance still needs a service account with the appropriate IAM permissions to access Secret Manager and other Google Cloud resources.


by Ahmed at May 31, 2024, 03:19 AM

Limited Time Offer

25%

Off

Get Premium Professional-Cloud-DevOps-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Quentin
4 months ago
Haha, I bet the exam writer is trying to trick us with these answer choices. Time to put on my thinking cap!
upvoted 0 times
...
Gilberto
4 months ago
A looks like the easiest solution, but I'm not sure if it's the Google-recommended practice.
upvoted 0 times
Dalene
3 months ago
C) Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.
upvoted 0 times
...
Elza
3 months ago
A) Add the auth application-default command as a step in Jenkins before running the Terraform commands.
upvoted 0 times
...
...
Candra
4 months ago
I'm not sure about D. Using Secret Manager to retrieve credentials might be overkill for this use case.
upvoted 0 times
Helene
3 months ago
C) Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.
upvoted 0 times
...
Val
3 months ago
B) Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.
upvoted 0 times
...
Marquetta
4 months ago
A) Add the auth application-default command as a step in Jenkins before running the Terraform commands.
upvoted 0 times
...
...
Buddy
4 months ago
B sounds good to me. Creating a dedicated service account and passing the secret key to the Jenkins server seems like the safest approach.
upvoted 0 times
Ashley
3 months ago
User 3: I agree, we should make sure the Jenkins VM instance has the right IAM permissions too.
upvoted 0 times
...
Marg
3 months ago
User 2: B sounds good to me. Creating a dedicated service account and passing the secret key to the Jenkins server seems like the safest approach.
upvoted 0 times
...
Izetta
4 months ago
User 1: I think we should add the auth application-default command in Jenkins before running Terraform.
upvoted 0 times
...
...
Carri
4 months ago
I agree with Ligia. Option B is the most secure way to authorize the Terraform Jenkins instance.
upvoted 0 times
...
Adelina
4 months ago
I think the answer is C. The Jenkins VM instance should have an attached service account with the appropriate IAM permissions to create Google Cloud resources.
upvoted 0 times
Rolande
3 months ago
C) Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.
upvoted 0 times
...
Jacquelyne
3 months ago
B) Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE environment variable on the Jenkins server.
upvoted 0 times
...
Torie
4 months ago
C) Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.
upvoted 0 times
...
Emilio
4 months ago
A) Add the auth application-default command as a step in Jenkins before running the Terraform commands.
upvoted 0 times
...
...
Ligia
4 months ago
I think option B is the best choice because it ensures security by using a dedicated service account.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77