-->

DEVOPSZONES

DEVOPSZONES

    • Recent blogs

    Step-by-Step Fix for GCP Cloud Scheduler 401/403 Error

    Friday, January 31, 2025 0

     The 403 Forbidden error when Cloud Scheduler tries to trigger a Cloud Function typically means that the Cloud Scheduler does not have permission to invoke the function.

    A 401 Unauthorized error from Cloud Scheduler means that the job is trying to invoke the Cloud Function, but it lacks proper authentication

    How to configure authentication for HTTP trigger function in GCP Cloud Function. 

    Here’s how to fix it:

    Step 1: Grant Cloud Scheduler Permission to Invoke the Function

    1. Find the Cloud Scheduler Service Account
      Run the following command to identify the Cloud Scheduler service account:

      gcloud projects get-iam-policy YOUR_PROJECT_ID --flatten="bindings[].members" --format='table(bindings.role, bindings.members)' | grep cloudscheduler

      You should see an output like:

      roles/cloudscheduler.serviceAgent serviceAccount:service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com

      Copy this service account email.

    2. Grant roles/cloudfunctions.invoker to Cloud Scheduler

      gcloud functions add-iam-policy-binding YOUR_FUNCTION_NAME \
          --region=YOUR_REGION \
    --member="serviceAccount:service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com" \
    --role="roles/cloudfunctions.invoker"

    Step 2: Use a Service Account with OIDC Authentication

    Cloud Scheduler must use a service account with identity tokens to authenticate the request.

    1. Choose a service account (it must have roles/cloudfunctions.invoker).
      You can create a new one if needed:

      gcloud iam service-accounts create scheduler-invoker --display-name "Scheduler Invoker"

      Grant it the Cloud Function Invoker role:

      gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
          --member="serviceAccount:scheduler-invoker@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/cloudfunctions.invoker"

    2. Update the Cloud Scheduler Job to Use OIDC Authentication:

      gcloud scheduler jobs update http YOUR_JOB_NAME \
          --schedule="*/5 * * * *" \
    --uri="https://YOUR_REGION-YOUR_PROJECT_ID.cloudfunctions.net/YOUR_FUNCTION_NAME" \
    --http-method=GET \
    --oidc-service-account-email=scheduler-invoker@YOUR_PROJECT_ID.iam.gserviceaccount.com \
    --oidc-token-audience="https://YOUR_REGION-YOUR_PROJECT_ID.cloudfunctions.net/YOUR_FUNCTION_NAME"
      • --oidc-service-account-email: Specifies the service account that will authenticate the request.
      • --oidc-token-audience: Ensures the generated token is meant for this Cloud Function.

    Step 3: Test the Cloud Scheduler Job

    After updating the job, manually trigger it to check if it works:

    gcloud scheduler jobs run YOUR_JOB_NAME

    If successful, it should return 200 OK.

    🔥 Summary

    • 401 Unauthorized happens because Cloud Scheduler isn’t authenticated properly.
    • Grant roles/cloudfunctions.invoker to Cloud Scheduler’s service account.
    • Use OIDC authentication in the Cloud Scheduler job.
    • Test the fix by running the job manually.


    Tags:
    Author Image

    About Manas Ranjan Tripathy

    No comments

    Subscribe to: Post Comments ( Atom )