DEVHIDE
Login Or Sign up

Permission denied error when calling Google Cloud Run API from Cloud Scheduler

498 Views Asked by At

The following setup exist and works fine:

Now the problem: I PRESSED THIS BUTTON "SECURITY" that was shown inside my Google Cloud Run console!

After adding the "SECRET MANAGER SECRET ACCESSOR" to the Service-Account of the Google Cloud Run service (as required after pressing this "Security" button), then the Scheduler no longer works!

I followed all steps that are described in this post - but the "permission denied" for the Scheduler still remains!

What I did:

A) Add "SECRET MANAGER SECRET ACCESSOR" to the Service Account of the Google Cloud Run (as expected after pressing this button).

B) Add "OIDC Token" inside the Google Cloud Scheduler

C) Also, the Google Cloud Run API is hosted on a different "region" than the Google Cloud Scheduler. Is that a problem? (It was no problem yesterday!)

Did I miss something?

Questions:

  1. After the service-account has the "SECRET MANAGER SECRET ACCESSOR", do I still use the Google Cloud Run URL inside the Scheduler - or do I need a different URL now? (https://some_name-ab3adasmjk-oa.a.run.app ?)

  2. Inside the Scheduler, I did add "Add OIDC Token" and giving the Service Account of my Cloud Run API. I left Audience blank. Is that correct? Or is something else missing?

Additional information:

Steps I did and questions:

0.) Is it a problem to be on two different regions for Cloud Run API and Cloud Scheduler?

I) I created a first Service Account SA1 for the Google Cloud Run, giving it the SECRET MANAGER SECRET ACCESSOR permission

II) As mentioned in post, I created a second Service Account SA2 to IAM: i.e. service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com giving it the role Cloud Scheduler Service Agent

III) Is it correct that under Add OIDC token, I need to add SA1? (or is it SA2?)

IV) Not sure how this works: As desribed in the same post, there is the need to grant roles/cloudfunctions.invoker (or if using a 2nd Generation Environment Server, then roles/run.invoker instead)

--> how do I do that exactly? Step-by-step description PLEASE! --> What is the exact naming of the Permission if I want to grant Access? All I can find in the Web-Console is Clud Run Service Agent - but where can I find the option roles/run.invoker?

--> To what Service Account do I have to give this roles/run.invoker permission ? (i.e. is it to SA1 or SA2?)

scheduler google-cloud-run google-cloud-iam
Original Q&A
2

There are 2 best solutions below

1
On

  1. Creater a first Service Account SA1 for Cloud Run with role-permission Cloud Run Invoker All you need is to create a new Service Account under IAM->Service Account find the button Create Service Account and create one. Keep its email (is.e something like this [someName]@[PROJECT_ID].iam.gserviceaccount.com

  2. Go to the Cloud Run side-panel, Add principal and under New principal, enter this email. Then pick the role Cloud Run Invoker !

  3. Create a second Service Account SA2 for Scheduler with role-permission Cloud Scheduler Service Agent - see link. All you need is the Scheduler Service Email that looks something like that: service-[PROJECT_NUMBER]@gcp-sa-cloudscheduler.iam.gserviceaccount.com

  4. Inside your Cloud Scheduler, make sure to add OIDC Token and giving the Service Account of your Cloud Run API (i.e. [someName])

  5. Make sure you enter the Audience URL = URL from your Cloud Run (i.e. something like https://some_name-ab3adasmjk-oa.a.run.app)

  6. Make sure you set Require authentication inside your Cloud Run.

To sort out some confusion:

roles/run.invoker is the glc-terminal command - and if you use the console, it is called Cloud Run Invoker permission. The two are equivalent!

What almost turned me nuts is the fact that this Cloud Run Invoker permission can only be found when you have the Cloud Run console open and select your service. After selecting, you find permission menu on the right-hand panel and can address the Cloud Run Invoker with the "Add principal" as described in step 2 above.

But what absolutely does not work: You will never be able to set Cloud Run Invoker inside IAM --> Service Account --> Permissions. It just does not show up. That's actually what made me most crazy. The Cloud Run Invoker permission on the console only exist if you start the process on the right-hand-side panel of your Cloud Run - AND ONLY IF YOU SELECT ONE CLOUD RUN - otherwise you never find it!

I guess you should use glc-terminal cmds anyways since the console is so hidous !!!

1
On

huuhh and another finding:

If you use the Console to add an Auth-Header (OIDC token with Cloud Run Service and Audience-URL of the Cloud Run-baseURL), then please don't forget to press "CONTINUE" button before you press the "UPDATE" butten !!!!

(i.e. the UPDATE-button is so close that one feels tempted to immediately update. But if you do so, then for some odd reason the scheduler does not add Auth-Header and you end up with 403 permission-denied error)

enter image description here

Related Questions in SCHEDULER

Related Questions in GOOGLE-CLOUD-RUN

Related Questions in GOOGLE-CLOUD-IAM

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.