nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #360

There are three teams developing an ecommerce application in the same Google Cloud project. Team A will build a set of RESTful APIs that exposes some core functionalities for the application. Team B a

The correct answer is D. 1. Team A uses service accounts to authorize Cloud API Gateway. Team B and Team C each. The most secure and lowest-overhead approach uses Cloud API Gateway for API exposure and service-account-based OIDC authentication for service-to-service calls. Team A configures the API Gateway with a service account for authorization. Teams B and C, running on Cloud Run, each u

API Management and Security

Question

There are three teams developing an ecommerce application in the same Google Cloud project. Team A will build a set of RESTful APIs that exposes some core functionalities for the application. Team B and Team C will make requests to those APIs in their downstream processes running on Cloud Run services. You need to propose a solution for exposing the APIs in a way that maximizes security and minimizes management overhead for the three teams. How should you design this solution?

Options

  • A
    1. Team A uses service accounts to authorize Cloud API Gateway. Team B and Team C each
  • B
    1. Team A uses Apigee hybrid to create an API key and shares that key with Team B and Team
  • C
    1. Team A uses an API key to authorize Cloud API Gateway and shares the key with Team B and
  • D
    1. Team A uses service accounts to authorize Cloud API Gateway. Team B and Team C each

How the community answered

(25 responses)
  • A
    8% (2)
  • B
    4% (1)
  • C
    24% (6)
  • D
    64% (16)

Explanation

The most secure and lowest-overhead approach uses Cloud API Gateway for API exposure and service-account-based OIDC authentication for service-to-service calls. Team A configures the API Gateway with a service account for authorization. Teams B and C, running on Cloud Run, each use their own Cloud Run service identity (a Google-managed service account) to obtain OIDC tokens that are automatically presented when calling the API Gateway. This is keyless, requires no secret management, and each team's service is individually identifiable. Option C shares a single API key, which cannot be scoped per team and is harder to rotate. Options A and B involve Apigee hybrid (more complex, higher overhead) or shared keys, both of which increase management burden or reduce security granularity.

Topics

#API Gateway#Service Accounts#API Security#Inter-service Authentication

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice