You use Cloud Build to build and deploy your application.
You want to securely incorporate database credentials and other application secrets into the build pipeline.
You also want to minimize the development effort.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
https://cloud.google.com/build/docs/securing-builds/use-encrypted-credentialsWhen building and deploying an application with Cloud Build, it is important to securely incorporate database credentials and other application secrets into the build pipeline. There are several options for doing so, but the best approach will depend on the specific requirements and constraints of the application.
A. Option A suggests creating a Cloud Storage bucket and using built-in encryption at rest. The secrets can be stored in the bucket, and Cloud Build can be granted access to the bucket. This approach is simple and can be effective, but it may not provide the level of security required for highly sensitive data. Additionally, it may be difficult to manage access to the bucket and ensure that only authorized users can access the secrets.
B. Option B suggests encrypting the secrets and storing them in the application repository. The decryption key can be stored in a separate repository, and Cloud Build can be granted access to both repositories. This approach can provide strong security for the secrets, but it may be more complex to implement and manage than other options.
C. Option C suggests using client-side encryption to encrypt the secrets and storing them in a Cloud Storage bucket. The decryption key can be stored in the same bucket, and Cloud Build can be granted access to the bucket. This approach can provide strong security and can be simpler to implement than option B. However, it may require additional development effort to implement the client-side encryption.
D. Option D suggests using Cloud Key Management Service (Cloud KMS) to encrypt the secrets and including them in the Cloud Build deployment configuration. Cloud Build can be granted access to the KeyRing. This approach can provide strong security and can be relatively simple to implement. However, it may require additional configuration and management of the Cloud KMS.
Overall, the best approach will depend on the specific requirements and constraints of the application. Options B, C, and D can all provide strong security for the secrets, but they may require more development effort than option A. Option A may be a good choice for applications with lower security requirements, while options B, C, and D may be better for applications with higher security requirements.