2

I'm trying to trigger a Cloud Function on a schedule using Cloud Scheduler. I have set up a service account with the Cloud Function Invoker role, set it as the service account on the scheduler, and set the auth header to "Add OIDC token". The URL is the same as the trigger URL for the cloud function.

enter image description here

When I run the scheduled job manually, the result comes back as "Success", so there doesn't appear to be any authentication issue. However, the result I'd expect (new data being appended to a BigQuery table) does not happen.

You might assume at this point that there is a problem with the Cloud Function, however when I run the function manually (without the scheduler), it works exactly as expected.

When I check the Cloud Function logs after running the scheduler manually, clearly the function has not been called, so it seems somehow the interaction between the Scheduler and the Function is not working. The strange thing is that I have set this up in exactly the same way as I've done with other scheduled functions in the past, which worked just fine, so I can't find a reason why this wouldn't be working.

Any ideas where I could be going wrong?

hawkaterrier
  • 368
  • 3
  • 15
  • Are you sure that cloud scheduler will report a 401 response as a failure? The docs don't seem to state that. Can you try turning off authentication on your cloud function ("allow unauthorized invocations") and retrying to see what that does? – somethingsomething May 20 '22 at 11:25
  • @somethingsomething I've seen that setting referenced in various solutions to other questions, but cannot locate it. It doesn't appear in the runtime, build, connections and security settings, or in the permissions settings. The closest thing I can find is "Allow all traffic" in the ingress settings, which is what was already selected by default. Not sure if the UI has changed or if I'm missing something. – hawkaterrier May 20 '22 at 11:33
  • 1
    All you have to do is add --allow-unauthenticated to your `gcloud functions deploy`. Alternatively, In cloud console, it looks like this can't be changed after initial deployment (or rather I can't find it), but it is a setting when you first create it, under Trigger -> Authentication. – somethingsomething May 20 '22 at 11:40
  • I have just created a new function following your instructions, switched the scheduler over to that function and it has worked - thanks. EDIT: This is the only function I have that's set to "Allow unauthenticated" though, so that doesn't explain why my other functions have been working with Cloud Scheduler but this one doesn't. – hawkaterrier May 20 '22 at 11:54
  • You probably made a mistake with the oidc service account, adding an account that doesn't have the 'cloudfunctions.functions.invoke' permission on that specific cloud function. This should be fixed, allowing unauthenticated wasn't meant as a solution (hence why I didn't post it as an answer), but just to confirm it is a permission issue. – somethingsomething May 20 '22 at 12:05
  • That doesn't appear to be the issue. The oidc service account has the Cloud Functions Invoker role, which has the 'cloudfunctions.functions.invoke' permission on the project, and by extension the function itself. It's the same service account I've always used to invoke cloud functions, previously without any issues. – hawkaterrier May 20 '22 at 12:23
  • You may check a similar post here https://stackoverflow.com/questions/61235853/how-to-invoke-cloud-function-from-cloud-scheduler-with-authentication?rq=1 – Vaidehi Jamankar Jun 15 '22 at 06:38

1 Answers1

1

Here there seems to be an issue with the calls not reaching cloud function when scheduler tries to use the function-invoker service account to trigger the cloud function running as function-runner.The problem with Cloud Scheduler is that it cannot be used to trigger the function if it is set to “allow internal traffic”.

Internal-only HTTP functions can only be invoked by HTTP requests that are created within a VPC network, such as those from Kubernetes Engine, Compute Engine, or the App Engine Flexible Environment. This means that events created by or routed through Pub/Sub, Eventarc, Cloud Scheduler, and Cloud Tasks cannot trigger these functions[1].

Please check the Load Balancer configurations to manage the traffic in Cloud Functions. So even though you choose the option of “Allow internal traffic and traffic from Cloud Load Balancing”, it is only using the part of “allow internal traffic” because there is no option to manage the load balancing. A workaround would be to create the load balancer[2] to manage the traffic in Cloud Functions[3], or you could select the option of “Allow all traffic” if it is acceptable to you.

[1] https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings

[2] https://cloud.google.com/iap/docs/load-balancer-howto

[3] https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless

Vaidehi Jamankar
  • 1,232
  • 1
  • 2
  • 10