Using authentication with HTTP Targets

Cloud Scheduler can call HTTP targets that require authentication if you have set up an associated service account that has the appropriate credentials.

Setting up the service account

  1. Identify an existing service account to be used for the call from Cloud Scheduler to your HTTP target or create a new service account for this purpose. This is the client service account.

  2. If your target is part of GCP, update your client service account by granting it the necessary IAM role. Each service within GCP requires a different role. For Cloud Run, for example, you would need to add the Cloud Run Invoker role, and so on.

  3. Cloud Scheduler itself must have a service account of its own that has the Cloud Scheduler Service Agent role granted. This is so it can generate header tokens on behalf of your client service account to authenticate to your target. The Cloud Scheduler service account with this role granted is automatically set up when you enable the Cloud Scheduler API, unless you enabled it prior to March 19, 2019, in which case you must add the role manually.

Creating a scheduler job with authentication

To create a job that uses authentication, you need to add two pieces of information to your create-job request:

  • The token type you choose to use
  • The email address that identifies the client service account

    Using the Console

    1. Specify the frequency as always.
    2. Specify HTTP as the target type.
    3. Add the URL and method as always.
    4. Select the token type from the Auth header dropdown.
    5. Add the client service account email in the Service account text box.

    image

    Using gcloud

    Syntax:

     gcloud scheduler jobs create http ${JOB_ID} --schedule="every 10 mins" --uri=${URI} --oidc-service-account-email=${CLIENT_SERVICE_ACCOUNT_EMAIL}
    

    Where:

    1. ${JOB_ID} is a name for the job. It must be unique in the project. Note that you cannot re-use a job name in a project even if you delete its associated job.
    2. The schedule, also called frequency, or job interval, is how often the job is to run, for example, `every 3 hours". The string you supply here can be any Crontab compatible string. Alternatively, developers familiar with legacy App Engine cron can use App Engine Cron syntax.
    3. ${URI} is the fully qualified URL of the endpoint.
    4. --oidc-service-account-email or --oauth-service-account-email defines the token type.
    5. ${CLIENT_SERVICE_ACCOUNT_EMAIL} is the email of the client service account.
    6. Other option parameters are available, which are described in the gcloud command line reference.

Choosing token types

To authenticate between Cloud Scheduler and an HTTP target, Cloud Scheduler creates a header token based on your client service account, identified by its email, and sends it, via HTTPS, to the target. You can use either an OIDC token or an OAuth token. OIDC is generally used except for Google APIs hosted on *.googleapis.com: these APIs expect an OAuth token.

Adding the Cloud Scheduler Service Agent role to your Cloud Scheduler service account manually

This is necessary only if you enabled Cloud Scheduler API prior to March 19, 2019.

Using the Console

  1. Find the project number for your project on the GCP Project Settings Page.
  2. Copy down the number.
  3. Open the IAM Admin Console Page.
  4. Click Add. The Add members screen opens.
  5. In the New members dialog box, add an email address of the format:

    service-[project-number]@gcp-sa-cloudscheduler.iam.gserviceaccount.com
    

    Replacing [project-number] with your project number from above.

  6. From the Select a role drop-down, choose Service Management -> Cloud Scheduler Service Agent

  7. Click Save.

Using gcloud

  1. Find your project number:

    gcloud projects describe [project-id] --format='table(projectNumber)'
    

    Replacing [project-id] with your project ID.

  2. Copy down the number.

  3. Grant the Cloud Scheduler service account the Cloud Scheduler Service Agent role, using the project number you copied down:

    gcloud projects add-iam-policy-binding [project-id] --member serviceAccount:service-[project-number]@gcp-sa-cloudscheduler.iam.gserviceaccount.com --role roles/cloudscheduler.serviceAgent
    

    Replacing [project-id] with your project ID and [project-number] with the project number from above.

Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...

Cloud Scheduler Documentation