nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #200

You are developing an application that will handle requests from end users. You need to secure a Cloud Function called by the application to allow authorized end users to authenticate to the function

The correct answer is B. Deploy from a source code repository and grant users the roles/cloudfunctions.invoker role. The roles/cloudfunctions.invoker role grants the minimum permission required to call a Cloud Function. When Google Sign-In is integrated, authenticated users present an identity token; the function validates it and either serves the request or rejects it. This enforces access con

Implementing API Security

Question

You are developing an application that will handle requests from end users. You need to secure a Cloud Function called by the application to allow authorized end users to authenticate to the function via the application while restricting access to unauthorized users. You will integrate Google Sign-In as part of the solution and want to follow Google-recommended best practices. What should you do?

Options

  • ADeploy from a source code repository and grant users the roles/cloudfunctions.viewer role.
  • BDeploy from a source code repository and grant users the roles/cloudfunctions.invoker role
  • CDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.admin role
  • DDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.developer

How the community answered

(44 responses)
  • A
    14% (6)
  • B
    77% (34)
  • C
    2% (1)
  • D
    7% (3)

Explanation

The roles/cloudfunctions.invoker role grants the minimum permission required to call a Cloud Function. When Google Sign-In is integrated, authenticated users present an identity token; the function validates it and either serves the request or rejects it. This enforces access control without over-provisioning permissions. The roles/cloudfunctions.viewer role (A) only allows reading function metadata, not invoking it. The roles/cloudfunctions.admin (C) and roles/cloudfunctions.developer (D) roles grant deployment and management capabilities, which violates the principle of least privilege for end users who only need to call the function.

Topics

#Cloud Functions#IAM#API Security#Deployment Best Practices

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice