ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Architect All Questions

View all questions & answers for the Professional Cloud Architect exam
Go to Exam

Exam Professional Cloud Architect topic 10 question 1 discussion

Actual exam question from Google's Professional Cloud Architect
Question #: 1
Topic #: 10
[All Professional Cloud Architect Questions]

For this question, refer to the TerramEarth case study. You start to build a new application that uses a few Cloud Functions for the backend. One use case requires a Cloud Function func_display to invoke another Cloud Function func_query. You want func_query only to accept invocations from func_display. You also want to follow Google's recommended best practices. What should you do?

  • A. Create a token and pass it in as an environment variable to func_display. When invoking func_query, include the token in the request. Pass the same token to func_query and reject the invocation if the tokens are different.
  • B. Make func_query 'Require authentication.' Create a unique service account and associate it to func_display. Grant the service account invoker role for func_query. Create an id token in func_display and include the token to the request when invoking func_query.
  • C. Make func_query 'Require authentication' and only accept internal traffic. Create those two functions in the same VPC. Create an ingress firewall rule for func_query to only allow traffic from func_display.
  • D. Create those two functions in the same project and VPC. Make func_query only accept internal traffic. Create an ingress firewall for func_query to only allow traffic from func_display. Also, make sure both functions use the same service account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by SweetieS at Aug. 24, 2021, 3:56 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
raf2121
Highly Voted 3 years, 1 month ago
B Authentication function to function calls. Add calling function service account as a member on the receiving function and grant that member the cloud functions invoker https://cloud.google.com/functions/docs/securing/authenticating
upvoted 18 times
...
MaxNRG
Highly Voted 2 years, 11 months ago
B is correct. You need both service account (Authorization) and id token (Authentication) When building services that connect multiple functions, it's a good idea to ensure that each function can only send requests to a specific subset of your other functions. For instance, if you have a login function, it should be able to access the user profiles function, but it probably shouldn't be able to access the search function. To configure the receiving function to accept requests from a specific calling function, you need to grant the Cloud Functions Invoker (roles/cloudfunctions.invoker) role to the calling function's service account on the receiving function.
upvoted 15 times
MaxNRG
2 years, 11 months ago
Because it will be invoking the receiving function, the calling function must also provide a Google-signed ID token to authenticate. This is a two step process: 1. Create a Google-signed ID token with the audience field (aud) set to the URL of the receiving function. 2. Include the ID token in an Authorization: Bearer ID_TOKEN header in the request to the function. https://cloud.google.com/functions/docs/securing/authenticating#authenticating_function_to_function_calls Authentication function to function calls. Add calling function service account as a member on the receiving function and grant that member the cloud functions invoker.
upvoted 8 times
MaxNRG
2 years, 11 months ago
Have the account you are using to access Cloud Functions assigned a role that contains the cloudfunctions.functions.invoke permission. By default, the Cloud Functions Admin and Cloud Functions Developer roles have this permission. https://cloud.google.com/functions/docs/securing/authenticating Depending on who or what is invoking your cloud function the process for setting up authentication will vary, however there are two requirements common to all types of authentication: 1. The person or service authorized to invoke the cloud function must be assigned the cloudfunctions.invoker role or some other role with the cloudfunctions.invoke permission. 2. The person or service authorized to invoke the cloud function must send a token along with the HTTP request to prove that they are authorized to invoke the cloud function. https://dev.to/jakewitcher/setting-up-authorization-for-http-cloud-functions-in-gcp-45bc
upvoted 2 times
...
...
...
Gino17m
Most Recent 4 months, 3 weeks ago
Selected Answer: B
Vote for B
upvoted 1 times
...
mesodan
6 months, 3 weeks ago
Selected Answer: D
B is overkill.Option D provides a more secure, efficient, and manageable solution that adheres to Google's best practices. Google Cloud Functions already have built-in mechanisms for: - Authorization: Each Cloud Function has an associated service account assigned by default. This service account controls who can invoke the function based on its IAM roles. - Authentication: Cloud Functions automatically handle authentication for authorized invocations using a secure token exchange process. You don't need to manually manage ID tokens in this context.
upvoted 1 times
...
mesodan
6 months, 3 weeks ago
B is overkill.Option D provides a more secure, efficient, and manageable solution that adheres to Google's best practices. Google Cloud Functions already have built-in mechanisms for: - Authorization: Each Cloud Function has an associated service account assigned by default. This service account controls who can invoke the function based on its IAM roles. - Authentication: Cloud Functions automatically handle authentication for authorized invocations using a secure token exchange process. You don't need to manually manage ID tokens in this context.
upvoted 1 times
...
megumin
1 year, 10 months ago
Selected Answer: B
B is ok
upvoted 1 times
...
Nirca
2 years ago
Selected Answer: B
service account - B!
upvoted 1 times
...
satamex
2 years, 1 month ago
Just checking why not A?
upvoted 1 times
...
AzureDP900
2 years, 2 months ago
B makes sense without too much thinking.. This is strict enforcement..
upvoted 2 times
...
mad314
2 years, 5 months ago
Selected Answer: B
Had this question on my exam.
upvoted 3 times
...
Pime13
2 years, 9 months ago
Selected Answer: B
vote B
upvoted 1 times
...
joe2211
2 years, 10 months ago
Selected Answer: B
vote B
upvoted 1 times
...
victory108
3 years ago
B. Make func_query 'Require authentication.' Create a unique service account and associate it to func_display. Grant the service account invoker role for func_query. Create an id token in func_display and include the token to the request when invoking func_query.
upvoted 8 times
...
SweetieS
3 years, 1 month ago
B is OK
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago