2

I'd like to make a simply job in cloud scheduler that would use my cloud function.

That's what I've done so far:

  1. Created a service account called "cloudfunction" with owner role (for tests)
  2. Created a cloud function job (lets call it JOB1) with internal traffic only, europe-west3 (that's what my gcloud app describe says), and as a service account I used my SA "cloudfunction".

  3. Cloud Scheduler, I made a job with JOB1 HTTP and :

    URL = JOB1s URL,
auth method = OIDC,
http method = get,
SA = cloudfunction (which is linked in JOB1 as well)
audience = JOB1s URL.

I've already seen some topics with similar problem, but in my case I have my service-xxx9@gcp-sa-cloudscheduler.iam.gserviceaccount.com IAM account, so it does not resolve my problem, restarting scheduler API too.

Similar topics which did not really help me in my case :

How to invoke Cloud Function from Cloud Scheduler with Authentication

Cannot invoke Google Cloud Function from GCP Scheduler

cannot invoke cloud function from cloud scheduler

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
brasai
  • 21
  • 2
  • as is mentioned here in the comments of this answer, are you tried on a fresh project https://stackoverflow.com/questions/61235853/how-to-invoke-cloud-function-from-cloud-scheduler-with-authentication/62173854?noredirect=1#comment109961173_62173854 – Jan Hernandez Jun 03 '20 at 16:53
  • In the other thread i've seen that refreshing project helps in the same way as reloading scheduler API... – brasai Jun 03 '20 at 17:31
  • I created a job on an old project and in a new one, by using the GCP console and works as is expected https://cloud.google.com/scheduler/docs/http-target-auth#using-the-console – Jan Hernandez Jun 03 '20 at 17:50
  • Could you explain what service accounts (and with what roles) do you have and which one do you use? I've got service account with owner permissions, and still it has no access. hmm – brasai Jun 03 '20 at 18:21
  • Many questions: Did you have delete and re-created the SA cloudfunction? Did you grant your SA cloudfunction with the role `Service Account User`? – guillaume blaquiere Jun 03 '20 at 18:46
  • Yep, I have tried to recreate SA cloudfunction. https://i.imgur.com/iDUa4XO.png there are grants that SA cloudfunction has. SA cloudfunction is of course linked in cloud function + cloud scheduler. – brasai Jun 03 '20 at 18:55
  • I have no idea how to fix that to be honest. Documentation isn't clear and helpful to be honest.. – brasai Jun 03 '20 at 20:59
  • on both projects I used the default service account on the cloud function and in cloud scheduler I used a SA with owner role, that is it – Jan Hernandez Jun 04 '20 at 21:51
  • the default account you mean that account for cloud scheduler? the problem is, that i cannot select it, because i've got this account in IAM accounts, and cant select it in cloud function as a service account hmm. btw, u use internal traffic only in cloud function? or maybe you mean default account "app engine" – brasai Jun 05 '20 at 10:11
  • yes you are right I forgot the internal traffic only flag. – Jan Hernandez Jun 05 '20 at 13:26

1 Answers1

3

This behavior is caused due a connectivity lack between Cloud Scheduler and Internal GCP services.

Cloud Scheduler can't use an internal IP within your project and for this reason,the requests always will be detected as external traffic, I found that another user filed a feature request about a similar issue.

Jan Hernandez
  • 4,414
  • 2
  • 12
  • 18
  • I'm facing something the same as this: "Try to send requests to cloud function, which only accepts internal traffic (via Cloud Endpoint)" Are requests via Cloud Endpoint also be detected as external traffic? – han shih Oct 30 '20 at 09:13