Free Google Professional Cloud DevOps Actual Exam Questions - Question 6 Discussion
You are building an application that runs on Cloud Run The application needs to access a third-party
API by using an API key You need to determine a secure way to store and use the API key in your
application by following Google-recommended practices What should you do?
Cloud KMS in C and D is more about encryption keys, not storing API keys directly. So those options don’t fit here. Using Secret Manager like in A is really the best practice for managing secrets securely in Cloud Run.
I’m with A on this one. Cloud Run has built-in support for pulling secrets from Secret Manager directly into environment variables, which is super straightforward and secure. Mounting secrets like in B isn’t even supported in Cloud Run, so that option’s kind of a non-starter. Using Cloud KMS like in C or D makes things complicated since you’d have to handle encryption/decryption yourself, and Google recommends Secret Manager for managing secrets properly. So A makes the most sense here for both security and simplicity.
B imo since mounting secrets is more secure than env vars exposed directly.
Looks like A is the best practice here.