Answer-first summary for fast verification
Answer: Create a service account with the Cloud Functions Invoker role. Use that service account to invoke the function.
To secure Cloud Functions and ensure only authorized services can invoke them, Google recommends using IAM roles. The Cloud Functions Invoker role (roles/cloudfunctions.invoker) grants permissions to invoke a function. By creating a service account with this role and using it for invocation, the calling service is authenticated and authorized. Option C is correct. Options A (IAP) is more suited for user access control, not service-to-service. Option B uses the Viewer role, which doesn't grant invocation rights. Option D's OAuth 2.0 client ID is for user-based authentication, not service accounts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your team is developing services on Google Cloud and needs to build a data processing service using Cloud Functions. The function will handle sensitive data, so you must ensure invocations are restricted to authorized services while adhering to Google's recommended best practices for securing Cloud Functions. What steps should you take?
A
Enable Identity-Aware Proxy in your project. Secure function access using its permissions.
B
Create a service account with the Cloud Functions Viewer role. Use that service account to invoke the function.
C
Create a service account with the Cloud Functions Invoker role. Use that service account to invoke the function.
D
Create an OAuth 2.0 client ID for your calling service in the same project as the function you want to secure. Use those credentials to invoke the function.
No comments yet.