1. A junior team member creates a service account `ci-robot@my-project.iam.gserviceaccount.com` for CI/CD pipelines. You discover that they also created and downloaded a user-managed service account key for this account. According to Google's security best practices and common audit requirements, what is the primary concern with this approach, and what is the recommended alternative?
- A. User-managed keys are more secure because they are not rotated automatically; this is a best practice
- B. User-managed keys have no built-in expiration and are harder to audit and rotate compared to short-lived credentials from Workload Identity or service account impersonation, so you should use Workload Identity or OAuth2-based token exchange instead✓ Correct
- C. User-managed keys are fine if they are stored in Secret Manager; the risk is eliminated by encryption
- D. User-managed keys must be rotated monthly by policy; as long as rotation happens, the risk is acceptable
Explanation
The correct answer is option 2. Google explicitly recommends *against* user-managed service account keys due to the security risks: they do not expire, are difficult to audit at scale, cannot be easily rotated, and if compromised, pose a persistent threat. The recommended approaches are: (1) Workload Identity for workloads on GKE, (2) service account impersonation, or (3) short-lived tokens from GCP's token exchange mechanisms. Option 1 is dangerously wrong—automatic rotation is a security *benefit*, not a drawback. Option 3 is incorrect; storing a key in Secret Manager is still using a user-managed key and does not mitigate the underlying risks. Option 4 is wrong; even with rotation, user-managed keys lack the auditability and short lifetime of better alternatives.