You can use Cloud Scheduler to securely trigger a Cloud Run service on a schedule. This is similar to using cron jobs.
Possible use cases include:
- Performing backups on a timed basis
- Performing recurrent administration tasks, such as:
- Re-generating a sitemap
- Deleting old data, content, configuration, or revisions
- Synchronizing content between data systems
- Processing daily email notifications
- Verifying and reporting on access to downstream services
- Generating documents, such as bills
This page shows how to securely use Cloud Scheduler with Cloud Run in the same Google Cloud project.
Before you start
Enable the Cloud Scheduler API on the project you are using.
Creating and deploying your service
To create and deploy:
In your service, implement the job that you want to run on a schedule.
Note which request type your service is expecting to receive the job requests from, for example,
POST. When you create the scheduled job that invokes your service, you'll need to specify the HTTP method that matches this.
When you deploy the service you are using with Cloud Scheduler, make sure you do NOT allow unauthenticated invocations.
Creating a service account for Cloud Scheduler
You need to create a service account to associate with Cloud Scheduler, and give that service account the permission to invoke your Cloud Run service. You can use an existing service account to represent Cloud Scheduler, or you can create a new one.
To create a service account and give it permission to invoke the Cloud Run service:
In the Google Cloud console, go to the Service Accounts page.
Select a project.
Enter a service account name to display in the Google Cloud console.
The Google Cloud console generates a service account ID based on this name. Edit the ID if necessary. You cannot change the ID later.
Optional: Enter a description of the service account.
Click the Select a role field.
Under All roles, select Cloud Run > Cloud Run Invoker.
Create the service account:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \ --display-name "DISPLAYED_SERVICE_ACCOUNT_NAME"
- SERVICE_ACCOUNT_NAME with a lower case name unique within
your Google Cloud project, for example
- DISPLAYED_SERVICE_ACCOUNT_NAME with the name you want to
display for this service account, for example, in the console, for example,
My Invoker Service Account.
- SERVICE_ACCOUNT_NAME with a lower case name unique within your Google Cloud project, for example
For Cloud Run, give your service account permission to invoke your service:
gcloud run services add-iam-policy-binding SERVICE \ --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/run.invoker
- SERVICE with the name of the service you want to be invoked by Cloud Scheduler.
- SERVICE_ACCOUNT_NAME with the name of the service account.
- PROJECT_ID with your Google Cloud project ID.
Creating a Cloud Scheduler job
You'll need to create a job that invokes your service at specified times. You can use either the console or the command line:
To create a job you can use either the console or the gcloud command line. Click on the appropriate tab:
Visit the Cloud Scheduler console page.
Click Create job.
Supply a name for the job.
Specify the frequency, or job interval, at which the job is to run, using a configuration string. For example, the string
0 */3 * * *runs the job every 3 hours. The string you supply here can be any crontab compatible string.
For more information, see Configuring Job Schedules.
From the dropdown list, choose the timezone to be used for the job frequency.
HTTPas the target:
Specify the fully qualified URL of your service, for example
https://myservice-abcdef-uc.a.run.appThe job will send requests to this URL.
Specify the HTTP method: the method must match what your previously deployed Cloud Run service is expecting. The default is
Optionally, specify the data to be sent to the target. This data is sent in the body of the request when either the
PUTHTTP method is selected.
Click More to show the auth settings.
From the dropdown menu, select Add OIDC token.
In the Service account field, copy the service account email of the service account you created previously.
In the Audience field, copy the full URL of your service.
Click Create to create and save the job.
Create the job:
gcloud scheduler jobs create http test-job --schedule "5 * * * *" \ --http-method=HTTP-METHOD \ --uri=SERVICE-URL \ --oidc-service-account-email=SERVICE-ACCOUNT-EMAIL \ --oidc-token-audience=SERVICE-URL
- HTTP-METHOD with the HTTP method, eg, GET, POST, PUT, etc.
- SERVICE-URL with your service URL.
- SERVICE-ACCOUNT-EMAIL with your service account email.
Your Cloud Run service will be triggered via a request by the Cloud Scheduler job at the frequency you defined. You can confirm and monitor this by examining the logs for this service.
- Logging and viewing logs
- Monitoring health and performance
- Triggering from Pub/Sub
- Invoking with HTTPS