Google Cloud Professional Cloud Developer — Question 128

Your team develops services that run on Google Cloud. You need to build a data processing service and will use Cloud Functions. The data to be processed by the function is sensitive. You need to ensure that invocations can only happen from authorized services and follow Google-recommended best practices for securing functions. What should you do?

Answer options

• A. Enable Identity-Aware Proxy in your project. Secure function access using its permissions.
• B. Create a service account with the Cloud Functions Viewer role. Use that service account to invoke the function.
• C. Create a service account with the Cloud Functions Invoker role. Use that service account to invoke the function.
• D. Create an OAuth 2.0 client ID for your calling service in the same project as the function you want to secure. Use those credentials to invoke the function.

Correct answer: C

Explanation

The correct answer is C because creating a service account with the Cloud Functions Invoker role allows only authorized services to invoke the function, ensuring security for sensitive data. Option A does not directly secure function invocations, and option B lacks the necessary permissions for invocation. Option D, while it provides a method of authentication, does not use the recommended service account approach for invoking Cloud Functions.