I’ve looked everywhere and it seems people either use pubsub, app engine http or http with no auth. Not too many people out there showing their work for accessing functions via authentication w/ oidc tokens to access google functions.
I checked out: Cannot invoke Google Cloud Function from GCP Scheduler but nothing seemed to work.
Documentation I followed: https://cloud.google.com/scheduler/docs/http-target-auth#using-gcloud_1
- created a new service account
- set roles (Cloud scheduler service agent/Cloud functions service agent/Cloud scheduler admin/cloud functions invoker…even tried owner!)
- deployed google function that doesn’t allow public (unauthenticated) access (a simple helloworld function)
- setup cron job on cloud scheduler to run every minute against the new deployed function with this configuration:
- url = helloworld function
- oidc-token
- newly created service account
- audience set to hello world function url
outcome on cloud scheduler logs:
Expand all | Collapse all{ httpRequest: { } insertId: "ibboa4fg7l1s9" jsonPayload: { @type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished" jobName: "projects/project/locations/region/jobs/tester" status: "PERMISSION_DENIED" targetType: "HTTP" url: "https://region-project.cloudfunctions.net/tester" } logName: "projects/project/logs/cloudscheduler.googleapis.com%2Fexecutions" receiveTimestamp: "2020-04-15T17:50:14.287689800Z" resource: {…} severity: "ERROR" timestamp: "2020-04-15T17:50:14.287689800Z"
I saw one solution that showed someone creating a new project to get to this to work, are there any others??
Appreciate any help provided.
UPDATE
New Google Function – running in central (same as my app engine app)
New Service Account – w/ Owner role
ACTUAL FIX
If you’re missing the cloudscheduler service account (ex: service-1231231231412@gcp-sa-cloudscheduler.iam.gserviceaccount.com) Http auth tasks wont work. To fix, I had to disable api and renable and it gave me the service account, I didnt use this service account but, that was the only changing factor after I did this to make it work.
Advertisement
Answer
These are the exact steps you have to take. Be sure not to skip the second step, it sets invoker permissions on the service account so that the scheduler is able to invoke the HTTP Cloud Function with that service account’s OIDC information. Note: for simplicity, I choose the default service account here, however, it would be wise to create a separate service account for this purpose with less privileges.
# Create cloud function gcloud functions deploy my_function --entry-point=my_entrypoint --runtime=python37 --trigger-http --region=europe-west1 --project=${PROJECT_ID} # Set invoke permissions gcloud functions add-iam-policy-binding my_function --region=europe-west1 --member=serviceAccount:${PROJECT_ID}@appspot.gserviceaccount.com --role="roles/cloudfunctions.invoker" --project=${PROJECT_ID} # Deploy scheduler gcloud scheduler jobs create http my_job --schedule="every 60 minutes" --uri="https://europe-west1-${PROJECT_ID}.cloudfunctions.net/my_function/" --http-method=POST --oidc-service-account-email="${PROJECT_ID}@appspot.gserviceaccount.com" --oidc-token-audience="https://europe-west1-${PROJECT_ID}.cloudfunctions.net/my_function" --project=${PROJECT_ID}