You are deploying a container image to Cloud Run. You want to ensure that unauthenticated users cannot access the service. How should you configure the deployment?

Answer options:

Deploy the service with the --allow-unauthenticated flag and handle authentication in your application code.

Deploy the service without the --allow-unauthenticated flag and grant the roles/run.invoker role only to authorized identities.

Configure a VPC firewall rule to block public IP addresses.

Use Cloud Armor to block unauthenticated requests.

How to approach this question

Identify the native IAM role used to control access to Cloud Run services.

Full Answer

B.Deploy the service without the --allow-unauthenticated flag and grant the roles/run.invoker role only to authorized identities.✓ Correct

Deploy the service without the --allow-unauthenticated flag and grant the roles/run.invoker role only to authorized identities.

By default, Cloud Run services are secure and require authentication. You must explicitly grant the `roles/run.invoker` IAM role to users, groups, or service accounts that need to access the service. Using the `--allow-unauthenticated` flag grants this role to `allUsers`, making it public.

Common mistakes

Thinking VPC firewall rules apply directly to public Cloud Run endpoints.

Question 25 All questions Question 27

Practice the full GCP Associate Cloud Engineer Practice Exam 1

50 questions · hints · full answers · grading

More questions from this exam

Q01What is the highest level of the Google Cloud resource hierarchy?Easy Q02You need to enable the Compute Engine API in a new project using the command line. Which command ...Easy Q03You are setting up a new GCP environment. You need to grant a group of developers access to view ...Medium Q04You want to receive an email notification when your GCP spending exceeds $1000 this month. What s...Easy Q05You need to analyze your GCP billing data using complex SQL queries to understand cost trends acr...Medium

View all 50 questions →