You can use Cloud Scheduler to securely trigger a Cloud Run service on a schedule. This is similar to using cron jobs.
Possible use cases include:
- Performing backups on a timed basis
- Performing recurrent administration tasks, such as:
- Re-generating a sitemap
- Deleting old data, content, configuration, or revisions
- Synchronizing content between data systems
- Processing daily email notifications
- Verifying and reporting on access to downstream services
- Generating documents, such as bills
This page shows how to securely use Cloud Scheduler with Cloud Run in the same Google Cloud project.
Before you start
Enable the Cloud Scheduler API on the project you are using.
Creating and deploying your service
To create and deploy:
In your service, implement the job that you want to run on a schedule.
Note which request type your service is expecting to receive the job requests from, for example,
POST. When you create the scheduled job that invokes your service, you'll need to specify the HTTP method that matches this.
If you are using Cloud Run for Anthos on Google Cloud, you must verify the identity within the container. See the IAP sample code that demonstrates this.
When you deploy the service you are using with Cloud Scheduler, make sure you do NOT allow unauthenticated invocations.
Creating a service account for Cloud Scheduler
You need to create a service account to associate with Cloud Scheduler, and give that service account the permission to invoke your Cloud Run service. You can use an existing service account to represent Cloud Scheduler, or you can create a new one.
To create a service account and give it permission to invoke the Cloud Run service:
Visit the Create service account key page in the Cloud Console.
From the Service account list, select New service account.
In the Service account name field, enter the name you want to use for the service account.
Copy the service account email to use in the following steps.
Click Continue if prompted to specify permissions.
Visit the Cloud Run Services page in the Cloud Console.
Select your service in the displayed list.
If necessary, click the Show Info Panel/Hide Info Panel toggle in the far right of the page to show information.
Locate the Permissions tab, and in that tab, click Add Member.
Paste your service account email into the New members field.
From the Role dropdown menu, select Cloud Run > Cloud Run Invoker.
Create the service account:
gcloud iam service-accounts create SERVICE-ACCOUNT_NAME \ --display-name "DISPLAYED-SERVICE-ACCOUNT_NAME"
- SERVICE-ACCOUNT_NAME with a lower case name unique within
your Google Cloud project, for example
- DISPLAYED-SERVICE-ACCOUNT-NAME with the name you want to
display for this service account, for example, in the console, for example,
My Invoker Service Account.
- SERVICE-ACCOUNT_NAME with a lower case name unique within your Google Cloud project, for example
For Cloud Run, give your service account permission to invoke your service:
gcloud run services add-iam-policy-binding SERVICE \ --member=serviceAccount:SERVICE-ACCOUNT_NAME@PROJECT-ID.iam.gserviceaccount.com \ --role=roles/run.invoker
- SERVICE with the name of the service you want to be invoked by Cloud Scheduler.
- SERVICE-ACCOUNT_NAME with the name of the service account.
- PROJECT-ID with your Google Cloud project ID.
Creating a Cloud Scheduler job
You'll need to create a job that invokes your service at specified times. You can use either the console or the command line:
To create a job you can use either the console or the gcloud command line. Click on the appropriate tab:
Visit the Cloud Scheduler console page.
Click Create job.
Supply a name for the job.
Specify the frequency, or job interval, at which the job is to run, using a configuration string. For example, the string
0 */3 * * *runs the job every 3 hours. The string you supply here can be any crontab compatible string.
For more information, see Configuring Job Schedules.
From the dropdown list, choose the timezone to be used for the job frequency.
HTTPas the target:
Specify the fully qualified URL of your service, for example
https://myservice-abcdef-uc.a.run.appThe job will send requests to this URL.
Specify the HTTP method: the method must match what your previously deployed Cloud Run service is expecting. The default is
Optionally, specify the data to be sent to the target. This data is sent in the body of the request when either the
PUTHTTP method is selected.
Click More to show the auth settings.
From the dropdown menu, select Add OIDC token.
In the Service account field, copy the service account email of the service account you created previously.
In the Audience field, copy the full URL of your service.
Click Create to create and save the job.
Create the job:
gcloud beta scheduler jobs create http test-job --schedule "5 * * * *" --http-method=HTTP-METHOD \ --uri=SERVICE-URL \ --oidc-service-account-email=SERVICE-ACCOUNT-EMAIL \ --oidc-token-audience=SERVICE-URL
- HTTP-METHOD with the HTTP method, eg, GET, POST, PUT, etc.
- SERVICE-URL with your service URL.
- SERVICE-ACCOUNT-EMAIL with your service account email.
Your Cloud Run service will be triggered via a request by the Cloud Scheduler job at the frequency you defined. You can confirm and monitor this by examining the logs for this service.