For preventing, external uneuthenticated call, you can set you function private. Very easy to do, deploy it with the --no-allow-unauthenticated
param
gcloud functions deploy my-function --no-allow-unauthenticated --trigger... -- region... --runtime...
But now, the scheduler can't call it. Now you have to perform 2 things
- Create a service account with the correct roles. You can do it by the GUI or with command line
# Create the service account
gcloud iam service-accounts create your-service-account-name
# Grant the role for calling the function
gcloud functions add-iam-policy-binding \
--member=serviceAccount:your-service-account-name@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--role=roles/cloudfunctions.invoker your-function-name
With the GUI, if you grant the role cloudfunctions.invoker
at project level, your service account will be able to access to all function in your project. With my command line, I only grant the role on a specific function. You can do it through the console, by going to the functions list, select a function (check box) and click on show info panel
. Here you have a permission tab
- Then create your scheduler with the service account
gcloud scheduler jobs create http your-job name --schedule="0 0 * * *" \
--uri=your-function-URI \
--oidc-service-account-email=your-service-account-name@YOUR_PROJECT_ID.iam.gserviceaccount.com
If it doesn't work, it's because your cloud scheduler service agent isn't authorize to generate token with service account.
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member=serviceAccount:service-[project-number]@gcp-sa-cloudscheduler.iam.gserviceaccount.com \
--role roles/cloudscheduler.serviceAgent