Cloud Scheduler has Permission Denied when attempting to run a Cloud Run job

0
votes

I have created a simple Cloud Run job. I am able to trigger this code via a curl command:

curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://sync-<magic>.a.run.app

(Obviously <magic> is actually something else)

Cloud Run is configured for Ingress to Allow All Traffic and with Authentication to be required.

I followed this documentation: https://cloud.google.com/run/docs/triggering/using-scheduler

And created a service account, granted it the Cloud Run Invoker Role and then setup an HTTP scheduled job to GET the same URL I tested with CURL. I have Add OIDC Token selected, and I provide the service account created above and the Audience which is the same URL I used with curl.

When I attempt to trigger this job (or when it triggers based of the native cron) it fails with:

{ "status": "PERMISSION_DENIED", "@type": "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished", "targetType": "HTTP", "jobName": "projects/<project>/locations/<region>/jobs/sync", "url": "https://sync-<magic>.a.run.app/" }

Again <project>, <region> and <magic> have real values.

I tried using service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com with YOUR_PROJECT_NUMBER updated appropriately as the service account that runs the scheduled job. It has the same error.

Any advice on how to debug this would be greatly appreciated!

2
google-cloud-rungoogle-cloud-scheduler
Go to the Google Cloud Console -> Cloud Run. Verify that the service account is bound to the application with the Invoker role.John Hanley
Can you check if the Cloud Scheduler SA service account has the role to generate a token on the service account that you put on Cloud Scheduler configuration. The role is serviceAccountUser.guillaume blaquiere
Thanks John, I have validated this and it does not help.user2757811
Guillaume, how do I know which service account is used by Cloud Scheduler?user2757811
@guillaumeblaquiere it looks to me like the Cloud Scheduler SA is service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com. That does not show up in the main IAM or Services screens. Is that what you were thinking I should check?user2757811

2 Answers

1
votes

Here is what i did which solved the issue altogether and now I get the success flag when running a secure Cloud Run service via a Cloud Scheduler job -

  1. Create your service on Cloud run - let's call it "hello" and make it secured by removing "allUsers" permission from the list of Permissions PRINCIPALS - you should get an error when going to the endpoint as such - Error: Forbidden Your client does not have permission to get URL / from this server.
  2. Create an IAM service account for cloud scheduler - let's call it "cloud-scheduler" you will get this: [email protected] now comes the important part :
  3. Give your SA the ability to run Scheduler Jobs by adding the -
    Cloud Run Invoker & Cloud Scheduler Job Runner permissions
  4. Create your Cloud scheduler job and add the new SA to it according to google procedure : Auth header: Add OIDC token Service account: [email protected] Audience : https://Service.url.from.cloud.run.service/
  5. Add to your cloud run service an additional principal that will let your SA access to cloud run invoker

Run your scheduler and voila - all green ! Enjoy

0
votes

I have tried to create a new service account, gave it Cloud run invoker role. Disable the Cloud Scheduler API and re-enable it.

The only thing that work for me is changing Auth header from Add OIDC token to None. For some reason Cloud Scheduler change None back to Add OIDC token and Trigger cloud run normally