You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a
Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?

A. Configure the appropriate service accounts, and use Workload Identity to run the pods. B. Store the application credentials as Kubernetes Secrets, and expose them as environment variables. C. Configure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database. D. Store the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.