PROFESSIONAL-CLOUD-DEVELOPER · Question #200
You are developing an application that will handle requests from end users. You need to secure a Cloud Function called by the application to allow authorized end users to authenticate to the function
The correct answer is B. Deploy from a source code repository and grant users the roles/cloudfunctions.invoker role. The roles/cloudfunctions.invoker role grants the minimum permission required to call a Cloud Function. When Google Sign-In is integrated, authenticated users present an identity token; the function validates it and either serves the request or rejects it. This enforces access con
Question
You are developing an application that will handle requests from end users. You need to secure a Cloud Function called by the application to allow authorized end users to authenticate to the function via the application while restricting access to unauthorized users. You will integrate Google Sign-In as part of the solution and want to follow Google-recommended best practices. What should you do?
Options
- ADeploy from a source code repository and grant users the roles/cloudfunctions.viewer role.
- BDeploy from a source code repository and grant users the roles/cloudfunctions.invoker role
- CDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.admin role
- DDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.developer
How the community answered
(44 responses)- A14% (6)
- B77% (34)
- C2% (1)
- D7% (3)
Explanation
The roles/cloudfunctions.invoker role grants the minimum permission required to call a Cloud Function. When Google Sign-In is integrated, authenticated users present an identity token; the function validates it and either serves the request or rejects it. This enforces access control without over-provisioning permissions. The roles/cloudfunctions.viewer role (A) only allows reading function metadata, not invoking it. The roles/cloudfunctions.admin (C) and roles/cloudfunctions.developer (D) roles grant deployment and management capabilities, which violates the principle of least privilege for end users who only need to call the function.
Topics
Community Discussion
No community discussion yet for this question.