1

I have a Google Cloud Function consisting of a Python script. When I test the function everything works as expected.

The function uses a PubSub as trigger and a service account. I've setup a Cloud Sheduler to trigger the PubSub daily. But when I test the Scheduler by using the "run now" button I get this permission denied error.

{
  "insertId": "***",
  "jsonPayload": {
    "status": "PERMISSION_DENIED",
    "pubsubTopic": "projects/***/topics/***",
    "@type": "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished",
    "targetType": "PUB_SUB",
    "jobName": "projects/***/locations/europe-west1/jobs/***"
  },
  "resource": {
    "type": "cloud_scheduler_job",
    "labels": {
      "project_id": "***",
      "location": "europe-west1",
      "job_id": "***"
    }
  },
  "timestamp": "2021-06-27T21:45:00.807387936Z",
  "severity": "ERROR",
  "logName": "projects/***/logs/cloudscheduler.googleapis.com%2Fexecutions",
  "receiveTimestamp": "2021-06-27T21:45:00.807387936Z"
}

The Scheduler setup: enter image description here

My Service account has editor rights on the project. How do I know which permission is missing and where to add it? Or is the issue not the Service account but something else?

Gengis
  • 75
  • 1
  • 8

3 Answers3

2

After double checking the Cloud Function, Scheduler and PubSub wihtout any success I came accross this answer. Disabling and re-enabling the API did the trick and solved the issue. I guess some part of the initial configuration had been deleted or so and reenabling the API recreated everything that was needed.

Gengis
  • 75
  • 1
  • 8
  • I had to add the role "Cloud Scheduler Service Agent" to the default service account created for Cloud Scheduler to remove the permission error. Disabling / re-enabling was not working for me. – tim-montague Jan 17 '23 at 09:05
2

We had a similar problem suddenly on Sunday July 25th, on a production project that was running fine since beginning of 2019. Disabling the API was not an option, because we did not want to recreate all the cronjob configuration. So we created the SA as described here. The documentation is for HTTP triggered request, but seems to be valid also for Pub/Sub trigger.

service-[project-number]@gcp-sa-cloudscheduler.iam.gserviceaccount.com

And give the SA the Pub/Sub Publish role (I an not sure if this is actually required) Looks like this made te trick and solved the problem.

Simone Bracaloni
  • 599
  • 4
  • 11
  • We started to experience the problem at noon July 26 (EEST). Adding privilege as per docs resolved the problem (we old customers of GCP). Surprising that we have to search for fix instead of Google to apply it silently. – gavenkoa Jul 27 '21 at 08:49
1

I had the same problem on July 26th and I've been following a google forum since yesterday, on this link https://issuetracker.google.com/issues/194507663

According to the forum, I executed the following command:

gcloud projects add-iam-policy-binding [project-id] --member serviceAccount:service-[project-number]@gcp-sa-cloudscheduler.iam.gserviceaccount.com --role roles/cloudscheduler.serviceAgent

... and it worked! Apparently it adds a P4SA account for Pub / Sub publish on Cloud Scheduler.

Vanessa Koch
  • 11
  • 2