GCP Cloud Scheduler Permission Errors with Service Account

0
votes

I have created a set of cloud functions that work to ingest data into google cloud storage. The functions have been set with a get http request to only accept internal traffic.

enter image description here

However, when I use cloud scheduler to to invoke the functions I continually get permissions errors even while after specifying a service account for each of the functions with the proper permissions. I have set each of the functions to be in the us-central1 region and have researched the docs and Stack overflow with no success so far. Can I receive some assistance with this? enter image description here

2
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-storagegoogle-cloud-scheduler

2 Answers

4
votes

Cloud Scheduler is a serverless product. This means it doesn't belong to your project and not send the request to your Cloud Function through the VPC. In addition, Cloud Scheduler isn't yet supported in VPC SC

Thus, you can't. The workaround is to allow all ingress traffic on cloud function and to uncheck allow-unauthenticated access. Therefore, your function is callable from elsewhere (from internet) BUT you need a valid authentication to invoke it.

Use your service account and add it to Cloud Scheduler for invoking your function. Grant it the sufficient role for this

Alternative

However, if you would like initially not deploy your function publicly accessible on internet (allow internal traffic only ingress mode), there is an alternative.

Change your Cloud Scheduler to publish a PubSub message instead of calling directly your function. Then, deploy your function linked to PubSub topic instead of in HTTP target mode.

You might have some update to perform in your code, especially if you have parameters to handle (initially in the query or the body, now all is in the PubSub message published by Cloud Scheduler). But your function in only callable by your PubSub topic and no other way.

1
votes

According to the documentation, in order to trigger a Cloud Function from Cloud Scheduler you have to use Pub/Sub. These are the steps:

  1. Create the Cloud Function and make it trigger by a Pub/Sub topic.
  2. Create the Pub/Sub topic.
  3. Create the Cloud Scheduler job that will invoke the Pub/Sub trigger.

Once you do that you will be able to test-run the Cloud Scheduler job and verify whether it's working now. The final schema is something like this:

Cloud Scheduler job => Pub/Sub topic => Cloud Function

Once it's working remember to revert the roles granted to the Cloud Scheduler service account, as this method doesn't require them.

Here I found a blog post that does the same but with a more practical approach that you can follow from a CLI.