Module 4: Securing Cloud Run Functions
Looking for โDeveloping Applications with Cloud Run Functions on Google Cloud Module 4 Answersโ?
In this post, I provide complete, accurate, and detailed explanations for the answers to Module 4: Securing Cloud Run Functions of Course 5: Developing Applications with Cloud Run Functions on Google Cloud โ Preparing for Google Cloud Certification: Cloud Developer Professional Certificate
Whether youโre preparing for quizzes or brushing up on your knowledge, these insights will help you master the concepts effectively. Letโs dive into the correct answers and detailed explanations for each question!
Quiz 3
Graded Assignment
1. To limit access to Cloud Run functions, what methods can you use? Select two.
- Use HTTPS.
- Use identity-based access controls.
- Use a username and password.
- Use network-based access controls.
- Use an encryption key.
Explanation:
- Identity-based access control (IAM) restricts who can invoke functions.
- Network-based access control allows limiting access using VPC Service Controls or firewall rules.
2. Cloud Run functions uses IAM to authorize the requesting identity. Which predefined IAM roles are used by Cloud Run functions? Select four.
- Cloud Functions Admin
- Cloud Functions Reader
- Cloud Functions Developer
- Cloud Functions Invoker
- Cloud Functions Viewer
Explanation:
- Cloud Functions Admin โ Full control over functions.
- Cloud Functions Developer โ Can create, modify, and deploy functions.
- Cloud Functions Invoker โ Grants permission to invoke functions.
- Cloud Functions Viewer โ Read-only access to function details.
3. Which statements about function identity are correct? Select three.
- Every function is associated with a runtime service account that serves as its identity.
- The App Engine default service account is used as the default runtime service account for Cloud Run functions (1st gen).
- In production environments, you should use a runtime service account for a functionโs identity with the maximum set of permissions.
- The Compute Engine default service account is used as the default runtime service account for Cloud Run functions.
Explanation:
- Every function needs an identity, typically a service account.
- Cloud Run (1st gen) uses the App Engine default service account.
- Cloud Run (2nd gen) uses the Compute Engine default service account.
4. Which network setting allows Cloud Run functions to route all outbound traffic from a function through a VPC network?
- Ingress setting to allow all traffic.
- Egress setting to route traffic only to private IPs through a Serverless VPC connector.
- Ingress setting to allow internal traffic and traffic from Cloud Load Balancing.
- Egress setting to route all traffic through a Serverless VPC connector.
Explanation:
- Egress settings define outbound traffic rules.
- Serverless VPC Access connector enables Cloud Run to access private VPC resources.
5. A customer-managed encryption key (CMEK) is used to encrypt a function and its related data. What is the impact when such a key is disabled or destroyed?
- Executions that require new function instances will fail.
- Active instances of the function are shut down.
- There is no impact to the function.
- Executions of the function that are already in progress are terminated.
Explanation:
When a CMEK is disabled/destroyed, new function instances cannot be created because the encrypted resources cannot be decrypted.
Related contents:
Module 2: Introduction to Cloud Run Functions
Module 3: Calling and Connecting Cloud Run Functions
Module 5: Integrating with Cloud Databases
Module 6: Best Practices for Functions
You might also like:
Course 3:
