从云调度程序调用谷歌云 function 时获取权限被拒绝错误

Question

I am trying to envoke Google cloud function which is Http triggered by cloud scheduler. But whenever I try to run cloud scheduler it always says Permsiion denies error

 httpRequest: {
  status: 403   
 }
 insertId: "14igacagbanzk3b"  
 jsonPayload: {
  @type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"   
  jobName: "projects/***********/locations/europe-west1/jobs/twilio-cloud-scheduler"   
  status: "PERMISSION_DENIED"   
  targetType: "HTTP"   
  url: "https://europe-west1-********.cloudfunctions.net/function-2"   
 }
 logName: "projects/*******/logs/cloudscheduler.googleapis.com%2Fexecutions"  
 receiveTimestamp: "2020-09-20T15:11:13.240092790Z"  
 resource: {
  labels: {
   job_id: "***********"    
   location: "europe-west1"    
   project_id: "**********"    
  }
  type: "cloud_scheduler_job"   
 }
 severity: "ERROR"  
 timestamp: "2020-09-20T15:11:13.240092790Z"  
}

Solutions I tried -

1. Tried putting Google cloud function in the same region as the App engine as suggested by some users.
2. Gave access to Google provided cloud schduler sa service- **** @gcp-sa-cloudscheduler.iamaccount.gserviceaccount.com owner role and Cloud Functions Admin role
3. My cloud function has ingress setting of Allow all traffic.

My cloud scheduler only works when I run below command

gcloud functions add-iam-policy-binding cloud-function --member="allUsers" --role="roles/cloudfunctions.invoker"

Answer 1

On Cloud Scheduler page, you have to add a service account to use to call the private Cloud Function. In the Cloud Scheduler set up, you have to

• Click on SHOW MORE on the bottom
• Select Add OIDC token in the Auth Header section
• Add a service account email in the service account email for the Scheduler
• Fill in the Audience with the same base URL as the Cloud Functions (the URL provided when you deployed it)

The service account email for the Scheduler must be granted with the role functions.Invoker

Answer 2

In my case the problem was related to restricted ingress setting for the cloud function. I set it to 'allow internal traffic only', but that allows only traffic from services using VPC, whereas Cloud Scheduler doesn't as per doc explanation:

Internal-only HTTP functions can only be invoked by HTTP requests that are created within a VPC network, such as those from Kubernetes Engine, Compute Engine, or the App Engine Flexible Environment. This means that events created by or routed through Pub/Sub, Eventarc, Cloud Scheduler, Cloud Tasks and Workflows cannot trigger these functions.

So the proper way to do it is:

• set the ingress to 'all traffic'
• remove the permission for allUsers with role Cloud Function Invoker
• add the permission for created service account with role Cloud Function Invoker
• or just set that permission globally for the service account in IAM console(you could do that when creating service account as well)

Answer 3

If you tried all of the above (which should be the first things to look at, such as Add OIDC token, giving your service account role Cloud Function Invoker etc.), please also check the following:

For me the only thing that fixed this, was adding the following google internal service account to IAM:
service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com
And give this internal service account the following role:
Cloud Scheduler Service Agent

See also:
https://cloud.google.com/scheduler/docs/http-target-auth

And especially for this case:
https://cloud.google.com/scheduler/docs/http-target-auth#add