Exam Professional Cloud Developer topic 1 question 126 discussion

For me C. In link1 we can see how google suggests to use service accounts and in link2 we can see that the invoker role exists. Link1: https://cloud.google.com/functions/docs/securing#authentication Link2: https://cloud.google.com/functions/docs/reference/iam/roles#cloud-functions-roles

The best answer here is C. Create a service account with the Cloud Functions Invoker role. Use that service account to invoke the function. Here's why: Cloud Functions Invoker Role: This role specifically grants the permission to invoke Cloud Functions. It's the most granular and appropriate role for this scenario, ensuring that the service account can only invoke Cloud Functions and nothing else. Least Privilege: Using the Cloud Functions Invoker role adheres to the principle of least privilege, granting only the necessary permissions to the service account. This minimizes the risk of unauthorized access or actions. Service Account Authentication: Service accounts are designed for machine-to-machine authentication. They provide a secure and reliable way to authenticate your calling service to the Cloud Function.

IAP is not available for Cloud Functions, so the only possible option is C

IAP is not available for Cloud Functions, so the only possible answer is C

1 The best way to ensure that invocations of a Cloud Function that processes sensitive data can only happen from authorized services and follows Google-recommended best practices is to enable Identity-Aware Proxy in your project and secure function access using its permissions.

Since this is service to service communication, cloud function invoker role should be provided to the service that wants to invoke cloud function in the data processing pipeline.

vote c

The best approach is to use a combination of authn, authz, and encryption 1. Enable IAP to ensure that only authenticated and authorized users or services can access Cloud Function 2. Set up an appropriate level of access control using IAM roles and policies, such as roles/cloudfunctions.invoker, to ensure that only authorized services can invoke your Cloud Function, This can be done by creating a service account for the calling function, assign the appropriate invoker role to the service account on the data processing function and use the service account credentials in the calling function 3. Use Google-provided libraries or resources, such as KMS or Cloud Storage, to encrypt and store sensitive data 4. Apply security best practices such as limiting the scope of the service account, and using Cloud IAP to protect access to your Cloud Function 5. consider using Cloud Event that ensure your function is triggered only by authorized events, you can use Cloud Event to ensure that your function is invoked only by specific event types that you have configured

C is the answer. https://cloud.google.com/functions/docs/securing/authenticating

C is correct

ANSWER C https://medium.com/google-cloud/how-to-securely-invoke-a-cloud-function-from-google-kubernetes-engine-running-on-another-gcp-79797ec2b2c6

I think D is correct

I will go with option C.

C : https://cloud.google.com/functions/docs/securing/authenticating#authenticating_function_to_function_calls

Vote C

I believe this is C

Agreed D … From link reference below The tokens themselves are created using the OAuth 2 framework, and its extension, Open Identity Connect, but the sequence is complex and error-prone, and the use of Cloud Client Libraries to manage the process is highly recommended.