Secure cron jobs with VPC Service Controls

VPC Service Controls is a Google Cloud feature that allows you to set up a secure perimeter to guard against data exfiltration. This guide shows how to include Cloud Scheduler jobs in a VPC Service Controls perimeter.

Limitations

The following limitations apply to VPC Service Controls support for Cloud Scheduler.

Enforced actions

VPC Service Controls is only enforced on the following actions:

Cloud Scheduler job creation
Cloud Scheduler job updates

Why does this matter?

Because VPC Service Controls is only enforced on job creation and job updates, VPC Service Controls is not automatically enforced for jobs that were created before you added Cloud Scheduler to your VPC Service Controls perimeter. Jobs continue to execute even if the job targets aren't part of your VPC Service Controls perimeter or are not supported targets. To enforce VPC Service Controls for all Cloud Scheduler jobs:

Jobs with targets that are either unsupported or are outside your perimeter: Delete the jobs. See Delete non-compliant jobs
Jobs with targets that are both supported and inside your perimeter: Run an update on each job after adding Cloud Scheduler to your perimeter. See Enforce on preexisting jobs.

Supported targets

The Cloud Scheduler integration with VPC Service Controls only supports the following targets:

Cloud Functions (on the functions.net URL)
Cloud Run (on the run.app URL for Cloud Run services. Cloud Run job targets are not supported. To learn about the difference between service and job resources for Cloud Run, see Services and jobs: two ways to run your code.)
Dataflow API (must be in the same Google Cloud project as your Cloud Scheduler job)
Data Pipelines (must be in the same Google Cloud project as your Cloud Scheduler job)
Pub/Sub (must be in the same Google Cloud project as your Cloud Scheduler job)

Delete non-compliant jobs

Recommended. Delete Cloud Scheduler jobs with targets that are either:

Unsupported (see Supported targets)
Outside of the VPC Service Controls perimeter you plan to use

For instructions on deleting jobs, see Delete a job.

If you do not delete these jobs before adding Cloud Scheduler to your VPC Service Controls perimeter, the jobs continue to run, but VPC Service Controls is not enforced on them (see Enforced actions).

For example, if you have a Cloud Scheduler job that targets an unsupported target (such as a Cloud Run custom domain), the job continues to run after you add Cloud Scheduler to your VPC Service Controls perimeter, but it is not protected by VPC Service Controls. The same is true for a preexisting job with a target outside of your VPC Service Controls perimeter.

Add required IAM roles

Required. In order to use VPC Service Controls, the Cloud Scheduler service account must have the Cloud Scheduler Service Agent IAM role. The Cloud Scheduler service account is created for your project automatically. To verify that it has the Cloud Scheduler Service Agent IAM role, or to grant this role, take the following steps:

In the Google Cloud console, go to IAM.

Go to IAM
Select the Include Google-provided role grants checkbox.
In the filter, type Cloud Scheduler Service Account, and select this principal.
Look at the Role column for the Cloud Scheduler Service Account principal. You can proceed if the following role is listed:
- Cloud Scheduler Service Agent
If the Cloud Scheduler Service Account role is not listed, click the Edit icon and grant the Cloud Scheduler Service Agent role to the Cloud Scheduler Service Account principal.

Specify a VPC Service Controls perimeter

Required. You can use an existing perimeter or create a new perimeter to protect your Cloud Scheduler jobs that have supported targets. Both approaches give you the chance to specify services to restrict. Specify the Cloud Scheduler API.

Existing perimeters: To update an existing VPC Service Controls perimeter to include Cloud Scheduler, follow the steps for updating a service perimeter.
New perimeters: To create a new perimeter for Cloud Scheduler, follow the steps to create a service perimeter.

Enforce VPC Service Controls on preexisting jobs

Recommended. To enforce VPC Service Controls on Cloud Scheduler jobs that you created before you added Cloud Scheduler to your VPC Service Controls perimeter, run an update on the job. You do not have to change the job, but you must run the update in order for VPC Service Controls to apply to the job and its future executions.

You can run an update for the job from the Google Cloud console (select the job and use the Edit button), using the API, or with the gcloud CLI.

To enforce VPC Service Controls on a preexisting job by using the gcloud CLI, run the following:

HTTP targets

gcloud scheduler jobs update http JOB_ID

Replace the following:

JOB_ID: the ID of your job

Pub/Sub targets

gcloud scheduler jobs update pubsub JOB_ID

Replace the following:

JOB_ID: the ID of your job