[英]Getting permission denied error when calling Google cloud function from Cloud scheduler
I am trying to envoke Google cloud function which is Http triggered by cloud scheduler.我试图唤起谷歌云 function 这是由云调度程序触发的 Http。 But whenever I try to run cloud scheduler it always says Permsiion denies error
但是每当我尝试运行云调度程序时,它总是说 Permsiion 否认错误
httpRequest: {
status: 403
}
insertId: "14igacagbanzk3b"
jsonPayload: {
@type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"
jobName: "projects/***********/locations/europe-west1/jobs/twilio-cloud-scheduler"
status: "PERMISSION_DENIED"
targetType: "HTTP"
url: "https://europe-west1-********.cloudfunctions.net/function-2"
}
logName: "projects/*******/logs/cloudscheduler.googleapis.com%2Fexecutions"
receiveTimestamp: "2020-09-20T15:11:13.240092790Z"
resource: {
labels: {
job_id: "***********"
location: "europe-west1"
project_id: "**********"
}
type: "cloud_scheduler_job"
}
severity: "ERROR"
timestamp: "2020-09-20T15:11:13.240092790Z"
}
Solutions I tried -我尝试过的解决方案 -
My cloud scheduler only works when I run below command我的云调度程序仅在我运行以下命令时才有效
gcloud functions add-iam-policy-binding cloud-function --member="allUsers" --role="roles/cloudfunctions.invoker" gcloud 函数 add-iam-policy-binding cloud-function --member="allUsers" --role="roles/cloudfunctions.invoker"
On Cloud Scheduler page, you have to add a service account to use to call the private Cloud Function.在 Cloud Scheduler 页面上,您必须添加一个服务帐户以用于调用私有 Cloud Function。 In the Cloud Scheduler set up, you have to
在 Cloud Scheduler 设置中,您必须
SHOW MORE
on the bottomSHOW MORE
Add OIDC token
in the Auth Header
sectionAuth Header
部分选择Add OIDC token
The service account email for the Scheduler must be granted with the role functions.Invoker Scheduler 的服务帐户电子邮件必须被授予角色 functions.Invoker
In my case the problem was related to restricted ingress setting for the cloud function.在我的情况下,问题与云功能的受限入口设置有关。 I set it to 'allow internal traffic only', but that allows only traffic from services using VPC, whereas Cloud Scheduler doesn't as per doc explanation:
我将其设置为“仅允许内部流量”,但这仅允许来自使用 VPC 的服务的流量,而 Cloud Scheduler 不按照文档解释:
Internal-only HTTP functions can only be invoked by HTTP requests that are created within a VPC network, such as those from Kubernetes Engine, Compute Engine, or the App Engine Flexible Environment.
仅限内部使用的 HTTP 函数只能由在 VPC 网络中创建的 HTTP 请求调用,例如来自 Kubernetes Engine、Compute Engine 或 App Engine 柔性环境的请求。 This means that events created by or routed through Pub/Sub, Eventarc, Cloud Scheduler, Cloud Tasks and Workflows cannot trigger these functions.
这意味着由 Pub/Sub、Eventarc、Cloud Scheduler、Cloud Tasks 和 Workflows 创建或路由的事件无法触发这些功能。
So the proper way to do it is:所以正确的做法是:
If you tried all of the above (which should be the first things to look at, such as Add OIDC token, giving your service account role Cloud Function Invoker etc.), please also check the following:如果您尝试了以上所有方法(这应该是首先要查看的内容,例如添加 OIDC 令牌,赋予您的服务帐户角色 Cloud Function Invoker 等),还请检查以下内容:
For me the only thing that fixed this, was adding the following google internal service account to IAM:对我来说,唯一解决此问题的是将以下 google 内部服务帐户添加到 IAM:
service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com
And give this internal service account the following role:并赋予此内部服务帐户以下角色:
Cloud Scheduler Service Agent
See also:也可以看看:
https://cloud.google.com/scheduler/docs/http-target-auth https://cloud.google.com/scheduler/docs/http-target-auth
And especially for this case:特别是对于这种情况:
https://cloud.google.com/scheduler/docs/http-target-auth#addhttps://cloud.google.com/scheduler/docs/http-target-auth#add
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.