GCP Professional Cloud Architect Practice Question
Your team maintains a single-page web app that currently calls the Google Maps Places API directly from the browser using an unrestricted API key stored in JavaScript. Security asks you to keep the key confidential and limit its potential blast radius while minimizing refactoring effort on the frontend. Which design best meets these requirements?
Replace the API key with an OAuth 2 refresh token stored in browser local storage and exchange it for short-lived access tokens on each request.
Continue calling the Places API directly from the browser but restrict the API key to the site's HTTP referrer headers.
Embed the API key in the JavaScript bundle encrypted with AES-256 and decrypt it in client-side code at runtime before each Places request.
Proxy all Places API requests through a lightweight Cloud Run service, retrieve the API key from Secret Manager at startup, pass it to the container via an environment variable, and restrict the key to the service's static egress IP address.
Moving the Places call to a backend service prevents the key from ever reaching user devices. Storing the key in Secret Manager and injecting it as a runtime environment variable keeps it out of both source control and container images. By configuring Cloud Run (or Cloud Functions) to egress through a static IP address-such as one provided by Cloud NAT-you can restrict the key to that IP, greatly reducing misuse risk. HTTP-referrer restrictions (browser calls) still expose the key to end users, encryption in downloaded JavaScript offers no real protection, and Maps APIs do not accept OAuth 2 tokens in place of an API key.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of Secret Manager in securing an API key?
Open an interactive chat with Bash
Why should requests be proxied through a backend service instead of calling the API directly from the browser?
Open an interactive chat with Bash
How does restricting an API key to a static egress IP address improve security?
Open an interactive chat with Bash
What is Cloud Run?
Open an interactive chat with Bash
What is Secret Manager and how does it store API keys securely?
Open an interactive chat with Bash
How does restricting the API key to a static egress IP address improve security?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .