Google Cloud Professional Cloud Developer — Question 264

You manage a system that runs on stateless Compute Engine VMs and Cloud Run instances. Cloud Run is connected to a VPC, and the ingress setting is set to Internal. You want to schedule tasks on Cloud Run. You create a service account and grant it the roles/run.invoker Identity and Access Management (IAM) role. When you create a schedule and test it, a 403 Permission Denied error is returned in Cloud Logging. What should you do?

Answer options

• A. Grant the service account the roles/run.developer IAM role.
• B. Configure a cron job on the Compute Engine VMs to trigger Cloud Run on schedule.
• C. Change the Cloud Run ingress setting to 'Internal and Cloud Load Balancing.'
• D. Use Cloud Scheduler with Pub/Sub to invoke Cloud Run.

Correct answer: D

Explanation

The correct answer is D because using Cloud Scheduler with Pub/Sub allows for proper invocation of Cloud Run services, especially when ingress is set to Internal. Option A is incorrect as the roles/run.developer role does not grant the necessary permissions to invoke the service. Option B does not directly address the permission issue and relies on Compute Engine for scheduling. Option C changes the ingress setting but does not resolve the permission error encountered.