Cloud Scheduler can call HTTP targets that require authentication if you have set up an associated service account that has the appropriate credentials.
Set up the service account
If you don't already have a service account that you want to use for Cloud Scheduler jobs with HTTP targets, create a new service account. Note the following:
The service account must belong to the project in which the Cloud Scheduler job is created.
Do not use the Cloud Scheduler service agent (
service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com
). It cannot be used for this purpose.Do not revoke the Cloud Scheduler Service Agent role (
roles/cloudscheduler.serviceAgent
) from the Cloud Scheduler service agent on your project. Doing so results in403
responses to endpoints requiring authentication, even if your job's service account has the appropriate role.
If your target is within Google Cloud, grant the necessary IAM roles to your service account. Each service within Google Cloud requires a specific role, and the receiving service automatically verifies the generated token. For example, for Cloud Run and second generation Cloud Run functions functions, you must add the
Cloud Run Invoker
role.Note that to deploy a resource with a user-managed service account, the deployer must have the
iam.serviceAccounts.actAs
permission for that service account. If you created the service account, you are automatically granted this permission. If not, someone who has the correct permissions must grant you this permission on the service account.Best practice: In the previous step, if you created a service account specifically for invoking the service that your Cloud Scheduler job targets, consider following the principle of least privilege (security best practice) by binding the account and its invoker permission to your target service. You can do this using the Google Cloud console or the gcloud CLI:
Console
1. Open the Google Cloud console.
2. Select your project.
3. Navigate to the page for the resource type you are invoking. For example, if you are invoking a Cloud Run service, navigate to the page that lists Cloud Run services.
4. Select the checkbox at the left of the service you want to invoke. (Don't click on the service itself.)
5. Click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.
6. Click
Add principal.7. Under Add principals, enter the email address for the service account you created.
8. Under Assign roles, select a role to grant from the drop-down list. Follow the principle of least privilege by choosing the role that includes only the permissions that your principal needs.
9. Click Save.
gcloud
Run the
add-iam-policy-binding
command:gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID \ --member=PRINCIPAL --role=ROLE
Replace:
RESOURCE_TYPE
: The resource type of your target. For example,run
for a Cloud Run target.RESOURCE_ID
: The identifier for your target. For example, the service name for a Cloud Run target.PRINCIPAL
: The identifier for your service account. This has the following form:serviceAccount:SERVICE_ACCOUNT_EMAIL_ADDRESS
. For example,serviceAccount:my-service-account@my-project.iam.gserviceaccount.com
.ROLE
: The name of the role that your target service requires for invocation. For example,roles/run.invoker
for a Cloud Run or second generation Cloud Run functions target.
Examples:
Cloud Run target: The following command grants the Cloud Run Invoker role to the service account
my-service-account@my-project.iam.gserviceaccount.com
for the Cloud Run servicemy-service
:gcloud run add-iam-policy-binding my-service \ --member=serviceAccount:my-service-account@my-project.iam.gserviceaccount.com \ --role=roles/run.invoker
Cloud Run functions target: The following command grants the Cloud Run Invoker role required by second generation Cloud Run functions functions to the service account
my-service-account@my-project.iam.gserviceaccount.com
for the second generation Cloud Run functions functionmy-gen2-function
:gcloud functions add-iam-policy-binding my-gen2-function \ --member=serviceAccount:my-service-account@my-project.iam.gserviceaccount.com \ --role=roles/run.invoker --gen2
If your target is outside of Google Cloud, the receiving service must manually verify the token.
The default Cloud Scheduler service account is automatically set up when you enable the Cloud Scheduler API, unless you enabled it prior to March 19, 2019, in which case you must add the
Cloud Scheduler Service Agent
role manually. This is so that it can generate header tokens on behalf of your client service account to authenticate to your target.You can verify that the default Cloud Scheduler service account is set up in your project and that it has the
Cloud Scheduler Service Agent
role granted to it by viewing your project's current access. Note that if you use the Google Cloud console to view your project's access, make sure to select the Include Google-provided role grants checkbox.
Create a scheduler job with authentication
To create a job that uses authentication, you need to add the token type
and the email address that identifies the client service account to your
create-job
request:
Console
- Specify the frequency as always.
- Specify HTTP as the target type.
- Add the URL and HTTP method as always.
- In the Auth header list, select the token type. Note that OIDC
(ID token) is generally used except for Google APIs hosted on
*.googleapis.com
as these APIs expect an OAuth access token. - For Service account, specify the client service account email.
- Audience is optional and limits the recipients for the OIDC token; typically, the job's target URL (without any URL parameters). If not specified, by default, the entire URL is used as the audience (including request parameters).
gcloud
gcloud scheduler jobs create http JOB_ID \ --schedule="FREQUENCY" --uri=URI \ --oidc-service-account-email=CLIENT_SERVICE_ACCOUNT_EMAIL
Replace the following:
JOB_ID
: a name for the job. It must be unique in the project. Note that you cannot re-use a job name in a project even if you delete its associated job.FREQUENCY
: the job interval is how often the job is to run, for example,every 3 hours
orevery 10 mins
. The string you supply here can be any Crontab compatible string. (Although we no longer recommend its use, the legacy App Engine cron syntax is still supported for existing jobs.)URI
: the fully qualified URL of the endpoint.--oidc-service-account-email
or--oauth-service-account-email
: defines the token type. Note that OIDC is generally used except for Google APIs hosted on*.googleapis.com
as these APIs expect an OAuth token.CLIENT_SERVICE_ACCOUNT_EMAIL
: the email of the client service account.- Other optional parameters are available and are described in the gcloud command line reference.
Choose token types
To authenticate between Cloud Scheduler and an HTTP target,
Cloud Scheduler creates a header token based on your client service
account, identified by its email, and sends it, using HTTPS, to the target.
You can use either an ID (OIDC) token
or an OAuth (access) token. OIDC is generally used except for Google APIs
hosted on *.googleapis.com
as these APIs expect an OAuth token.
Manually add the Cloud Scheduler Service Agent role to your Cloud Scheduler service account
This is necessary only if one of the following is true:
- You enabled the Cloud Scheduler API prior to March 19, 2019
- You removed the Cloud Scheduler Service Agent role from your service account
The Cloud Scheduler service account requires the Cloud Scheduler Service Agent role. Without this role, Cloud Scheduler jobs fail. You can add the Cloud Scheduler Service Agent role to your Cloud Scheduler service account from the Google Cloud console or using the gcloud CLI:
Console
In the Google Cloud console, go to the Cloud Scheduler API page.
If there is a Status field and the status is listed as Enabled, proceed. If not, click Enable.
In the Google Cloud console, go to the Settings page.
Find and copy your project number.
In the Google Cloud console, go to the IAM page.
Click Grant access. The Grant access pane opens.
In the New principals field, add an email address with the format:
service-PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com
Replace
PROJECT_NUMBER
with your Google Cloud project number.In the Select a role list, search for and select Cloud Scheduler Service Agent.
Click Save.
gcloud
Confirm that the Cloud Scheduler API is enabled for your project:
gcloud services list --enabled \ --filter=cloudscheduler.googleapis.com
If you see the following output, the API is enabled:
NAME: cloudscheduler.googleapis.com TITLE: Cloud Scheduler API
If not (for example, if you see
Listed 0 items.
), enable the API:gcloud services enable cloudscheduler.googleapis.com
Find your project number:
gcloud projects describe PROJECT_ID --format='table(projectNumber)'
Replace
PROJECT_ID
with your project ID.Copy the number.
Grant the Cloud Scheduler service account the
Cloud Scheduler Service Agent
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com \ --role roles/cloudscheduler.serviceAgent
Replace the following:
PROJECT_ID
: your project IDPROJECT_NUMBER
: the project number you previously copied