Secure cron jobs with VPC Service Controls

Stay organized with collections Save and categorize content based on your preferences.

VPC Service Controls is a Google Cloud feature that allows you to set up a secure perimeter to guard against data exfiltration. This guide shows how to include Cloud Scheduler jobs in a VPC Service Controls perimeter.

Limitations

The Cloud Scheduler integration with VPC Service Controls has the following limitations:

  • Only supports Pub/Sub targets

Allow-list compatible targets

Recommended. The Cloud Scheduler integration with VPC Service Controls only supports jobs with Pub/Sub targets, and encounters an error if jobs with other targets are attempted. To prevent jobs with other targets (such as App Engine or HTTP) from running, organization policy administrators can set an organization policy at the level of the Google Cloud project, folder, or organization. To learn more about levels for organization policies, see Understanding hierarchy evaluation.

Any policy you set is not retroactively enforced. In general, existing jobs are not affected when the policy value is updated. The exception to this is existing jobs for which the target type is later updated. If you update the target type on a job after updating the policy for allowed target types, the policy is enforced.

By default, if no policy is set, all target types are allowed. To allow-list only jobs that have targets compatible with VPC Service Controls, take the following steps:

  1. Ensure that you have the following Identity and Access Management (IAM) roles:

    • Organization Policy Administrator (roles.orgpolicy.policyAdmin). Required for creating organization policies.
  2. In the Google Cloud console, go to Organization Policies.

    Go to Organization Policies

  3. In the filter, type Allowed target types for jobs, and select this policy to go to its details page.

  4. Click the Edit icon.

  5. Under Rules, go to Add rule and fill in the fields as follows:

    • Policy values: Custom
    • Policy type: Allow
    • Custom values: PUBSUB
  6. Click Done.

  7. Click Save.

Add required IAM roles

Required. In order to use VPC Service Controls, the Cloud Scheduler service account must have the Cloud Scheduler Service Agent IAM role. The Cloud Scheduler service account is created for your project automatically. To verify that it has the Cloud Scheduler Service Agent IAM role, or to grant this role, take the following steps:

  1. In the Google Cloud console, go to IAM.

    Go to IAM

  2. Select the Include Google-provided role grants checkbox.

  3. In the filter, type Cloud Scheduler Service Account, and select this principal.

  4. Look at the Role column for the Cloud Scheduler Service Account principal. You can proceed if the following role is listed:

    • Cloud Scheduler Service Agent

    If the Cloud Scheduler Service Account role is not listed, click the Edit icon and grant the Cloud Scheduler Service Agent role to the Cloud Scheduler Service Account principal.

Specify a VPC Service Controls perimeter

Required. You can use an existing perimeter or create a new perimeter to protect your Cloud Scheduler jobs that have Pub/Sub targets. Both approaches give you the chance to specify services to restrict. Specify the Cloud Scheduler API.