Practice Test 1 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test
You are designing a large distributed application with 30 microservices. Each of your distributed microservices needs to connect to a database back-end. You want to store the credentials securely. Where should you store the credentials?
A. In a secret management system
B. In the source code
C. In an environment variable
D. In a config file that has restricted access through ACLs
Correct Answer A
Feedback
A (Correct answer) – In a secret management system
Applications often require access to small pieces of sensitive data at build or run time. These pieces of data are often referred to as secrets. Secrets are similar in concept to configuration files, but are generally more sensitive, as they may grant access to additional data, such as user data. https://cloud.google.com/kms/docs/secret-management
B – In the source code: This is exactly again the best practice “Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials.” (see below the best practice #1)
C – In an environment variable – you use environment variable to point to the location where the secrets (credentials) are stored other than store the secrete directly (see below the best practice #1
D – In a configuration file that has restricted access through ACLs – Secrets are similar to but generally more sensitive
than configuration and also, ACLs may not enough for the secrete management. Here is example for Storing secrets https://cloud.google.com/kms/docs/store-secrets
Additional Resource
https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
Best practices for managing credentials
Credentials provide access to sensitive data. The following practices help protect access to these resources:
1) Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials. You can use an environment variable pointing to credentials outside of the application’s source code, such as Cloud Key Management Service.
2) Do use different credentials in different contexts, such as in testing and production environments.
3) Do transfer credentials only over HTTPS to prevent a third party from intercepting your credentials. Never transfer in clear text or as part of the URL.
4) Never embed long-lived credentials into your client-side app. For example, do not embed service account credentials into a mobile app. Client-side apps can be examined, and credentials can easily be found and used by a third party.
Do revoke a token if you no longer need it.
Comments are closed, but trackbacks and pingbacks are open.