ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Developer All Questions

View all questions & answers for the Professional Cloud Developer exam
Go to Exam

Exam Professional Cloud Developer topic 1 question 268 discussion

Actual exam question from Google's Professional Cloud Developer
Question #: 268
Topic #: 1
[All Professional Cloud Developer Questions]

You manage a system that runs on stateless Compute Engine VMs and Cloud Run instances. Cloud Run is connected to a VPC, and the ingress setting is set to Internal. You want to schedule tasks on Cloud Run. You create a service account and grant it the roles/run.invoker Identity and Access Management (IAM) role. When you create a schedule and test it, a 403 Permission Denied error is returned in Cloud Logging. What should you do?

  • A. Grant the service account the roles/run.developer IAM role.
  • B. Configure a cron job on the Compute Engine VMs to trigger Cloud Run on schedule.
  • C. Change the Cloud Run ingress setting to 'Internal and Cloud Load Balancing.'
  • D. Use Cloud Scheduler with Pub/Sub to invoke Cloud Run.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by vspringe at Nov. 13, 2023, 8:12 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Pime13
2 weeks, 5 days ago
Selected Answer: D
https://cloud.google.com/run/docs/securing/ingress https://cloud.google.com/scheduler/docs/tut-gcf-pub-sub https://cloud.google.com/beyondcorp-enterprise/docs/securing-kubernetes-engine
upvoted 1 times
...
plutonians123
8 months ago
Selected Answer: D
Cloud Scheduler can trigger Cloud Run services, but in this case, where the ingress is set to 'Internal', direct invocation might not work. Instead, you can use Cloud Scheduler in combination with Pub/Sub. Cloud Scheduler can create a Pub/Sub message on a schedule, and this Pub/Sub message can then trigger the Cloud Run service. This approach is commonly used for invoking services with restricted network access.
upvoted 4 times
...
plutonians123
8 months ago
Selected Answer: D
Cloud Scheduler can trigger Cloud Run services, but in this case, where the ingress is set to 'Internal', direct invocation might not work. Instead, you can use Cloud Scheduler in combination with Pub/Sub. Cloud Scheduler can create a Pub/Sub message on a schedule, and this Pub/Sub message can then trigger the Cloud Run service. This approach is commonly used for invoking services with restricted network access.
upvoted 1 times
...
diegodoal
8 months, 2 weeks ago
Selected Answer: D
D. When setting PubSub subscription, use type push and use the service account with the invoker role as authentication. A. no need more permissions. B. it could work id the vms are in the same VPC, but it is not best practice. C. That setting is only for connecting to load balancer
upvoted 1 times
...
vspringe
8 months, 3 weeks ago
D. is the best solution because it effectively circumvents the limitation of the Internal ingress setting of Cloud Run. This setting restricts external access, which is likely causing the 403 error. By using Cloud Scheduler to trigger a Pub/Sub topic, and then having Pub/Sub trigger the Cloud Run service, you maintain internal access security while enabling external scheduling. This method is both secure and adheres to the internal-only access requirements, leveraging managed services for scalability and reliability.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel