Getting permission denied error when calling Google cloud function from Cloud scheduler

2
votes

I am trying to envoke Google cloud function which is Http triggered by cloud scheduler. But whenever I try to run cloud scheduler it always says Permsiion denies error

 httpRequest: {
  status: 403   
 }
 insertId: "14igacagbanzk3b"  
 jsonPayload: {
  @type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"   
  jobName: "projects/***********/locations/europe-west1/jobs/twilio-cloud-scheduler"   
  status: "PERMISSION_DENIED"   
  targetType: "HTTP"   
  url: "https://europe-west1-********.cloudfunctions.net/function-2"   
 }
 logName: "projects/*******/logs/cloudscheduler.googleapis.com%2Fexecutions"  
 receiveTimestamp: "2020-09-20T15:11:13.240092790Z"  
 resource: {
  labels: {
   job_id: "***********"    
   location: "europe-west1"    
   project_id: "**********"    
  }
  type: "cloud_scheduler_job"   
 }
 severity: "ERROR"  
 timestamp: "2020-09-20T15:11:13.240092790Z"  
}

Solutions I tried -

  1. Tried putting Google cloud function in the same region as the App engine as suggested by some users.
  2. Gave access to Google provided cloud schduler sa service-****@gcp-sa-cloudscheduler.iamaccount .gserviceaccount.com owner role and Cloud Functions Admin role
  3. My cloud function has ingress setting of Allow all traffic.

My cloud scheduler only works when I run below command

gcloud functions add-iam-policy-binding cloud-function --member="allUsers" --role="roles/cloudfunctions.invoker"

2
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-scheduler

2 Answers

3
votes

On Cloud Scheduler page, you have to add a service account to use to call the private Cloud Function. In the Cloud Scheduler set up, you have to

  • Click on SHOW MORE on the bottom
  • Select Add OIDC token in the Auth Header section
  • Add a service account email in the service account email for the Scheduler
  • Fill in the Audience with the same base URL as the Cloud Functions (the URL provided when you deployed it)

The service account email for the Scheduler must be granted with the role functions.Invoker

enter image description here

2
votes

In my case the problem was related to restricted ingress setting for the cloud function. I set it to 'allow internal traffic only', but that allows only traffic from services using VPC, whereas Cloud Scheduler doesn't as per doc explanation:

Internal-only HTTP functions can only be invoked by HTTP requests that are created within a VPC network, such as those from Kubernetes Engine, Compute Engine, or the App Engine Flexible Environment. This means that events created by or routed through Pub/Sub, Eventarc, Cloud Scheduler, Cloud Tasks and Workflows cannot trigger these functions.

So the proper way to do it is:

  • set the ingress to 'all traffic'
  • remove the permission for allUsers with role Cloud Function Invoker
  • add the permission for created service account with role Cloud Function Invoker
  • or just set that permission globally for the service account in IAM console(you could do that when creating service account as well)