PROFESSIONAL-CLOUD-DEVELOPER · Question #320
You are developing a web application that will be deployed to production on Cloud Run. The application consists of multiple microservices, some of which will be publicly accessible and others that wil
The correct answer is D. Configure separate Cloud Run services for the public and restricted microservices. Enable. Option D - configuring separate Cloud Run services and enabling Cloud Run's built-in IAM authentication for the restricted ones - is the most secure and lowest-overhead approach. Cloud Run natively supports two access modes: (1) allow unauthenticated invocations (for public servi
Question
You are developing a web application that will be deployed to production on Cloud Run. The application consists of multiple microservices, some of which will be publicly accessible and others that will only be accessible after authentication by Google identities. You need to ensure that only authenticated users can access the restricted services, while allowing unrestricted access to the public services of the application. You want to use the most secure approach while minimizing management overhead and complexity. How should you configure access?
Options
- AEnable Identity-Aware Proxy (IAP) for all microservices. Develop a new microservice that checks
- BEnable Identity-Aware Proxy (IAP) for all microservices. Manage access control lists (ACLs) for
- CUse Cloud Endpoints with Firebase Authentication for all microservices. Configure Firebase rules
- DConfigure separate Cloud Run services for the public and restricted microservices. Enable
How the community answered
(56 responses)- A7% (4)
- B2% (1)
- C11% (6)
- D80% (45)
Explanation
Option D - configuring separate Cloud Run services and enabling Cloud Run's built-in IAM authentication for the restricted ones - is the most secure and lowest-overhead approach. Cloud Run natively supports two access modes: (1) allow unauthenticated invocations (for public services, granting the Cloud Run Invoker role to allUsers), and (2) require authentication (for restricted services, removing allUsers and requiring a valid Google identity token). This is enforced at the infrastructure level by Google, with no additional code or proxies required. Options A and B use Identity-Aware Proxy (IAP), which adds configuration complexity and is better suited for web apps fronted by load balancers, not Cloud Run's native auth model. Option C (Cloud Endpoints + Firebase Auth) introduces a third-party auth layer and additional services, increasing management overhead unnecessarily when Cloud Run's built-in IAM authentication already satisfies the requirement.
Topics
Community Discussion
No community discussion yet for this question.