Answer-first summary for fast verification
Answer: Make func_query 'Require authentication.' Create a unique service account and associate it to func_display. Grant the service account invoker role for func_query. Create an id token in func_display and include the token to the request when invoking func_query.
Option B is the correct answer. This approach follows Google's best practices for securing Cloud Functions. The correct method involves making func_query require authentication and using service accounts to control access. By creating a unique service account and associating it with func_display, and then granting that service account the invoker role for func_query, you can ensure that only authorized invocations occur. Additionally, generating an ID token in func_display and including it with the request to func_query provides a secure way to authenticate the invoking source.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
TerramEarth, a company that manufactures heavy equipment for the mining and agricultural industries, has moved its vehicle data aggregation and analysis infrastructure to Google Cloud. You start to build a new application for TerramEarth that uses a few Cloud Functions for the backend. One specific use case requires a Cloud Function func_display to invoke another Cloud Function func_query. You want func_query only to accept invocations from func_display while following Google's recommended best practices. What should you do?
A
Create a token and pass it in as an environment variable to func_display. When invoking func_query, include the token in the request. Pass the same token to func_query and reject the invocation if the tokens are different.
B
Make func_query 'Require authentication.' Create a unique service account and associate it to func_display. Grant the service account invoker role for func_query. Create an id token in func_display and include the token to the request when invoking func_query.
C
Make func_query 'Require authentication' and only accept internal traffic. Create those two functions in the same VPC. Create an ingress firewall rule for func_query to only allow traffic from func_display.
D
Create those two functions in the same project and VPC. Make func_query only accept internal traffic. Create an ingress firewall for func_query to only allow traffic from func_display. Also, make sure both functions use the same service account.