PROFESSIONAL-CLOUD-DEVELOPER · Question #143
Your team develops services that run on Google Cloud. You need to build a data processing service and will use Cloud Functions. The data to be processed by the function is sensitive. You need to ensur
The correct answer is C. Create a service account with the Cloud Functions Invoker role. Use that service account to. To restrict invocations of a Cloud Function to only authorized services, Google's recommended best practice is to create a dedicated service account and grant it the 'Cloud Functions Invoker' (roles/cloudfunctions.invoker) IAM role. The calling service authenticates as that servi
Question
Your team develops services that run on Google Cloud. You need to build a data processing service and will use Cloud Functions. The data to be processed by the function is sensitive. You need to ensure that invocations can only happen from authorized services and follow Google- recommended best practices for securing functions. What should you do?
Options
- AEnable Identity-Aware Proxy in your project. Secure function access using its permissions.
- BCreate a service account with the Cloud Functions Viewer role. Use that service account to
- CCreate a service account with the Cloud Functions Invoker role. Use that service account to
- DCreate an OAuth 2.0 client ID for your calling service in the same project as the function you want
How the community answered
(45 responses)- A7% (3)
- B2% (1)
- C80% (36)
- D11% (5)
Explanation
To restrict invocations of a Cloud Function to only authorized services, Google's recommended best practice is to create a dedicated service account and grant it the 'Cloud Functions Invoker' (roles/cloudfunctions.invoker) IAM role. The calling service authenticates as that service account (using a signed JWT or identity token) when making requests to the function. This ensures only services with the correct service account identity can invoke it, without exposing the function publicly. Option A (Identity-Aware Proxy) is designed for securing web applications behind a load balancer, not for service-to-service Cloud Function invocations. Option B uses the 'Cloud Functions Viewer' role, which only allows viewing function metadata - not invoking it. Option D (OAuth 2.0 client ID) is for user-facing OAuth flows, not service-to-service authentication.
Topics
Community Discussion
No community discussion yet for this question.