HTTP cloud scheduler job fails to trigger cloud run even with oidc service account authentication

Question

HTTP cloud scheduler job fails to trigger cloud run endpoint. Created a service account and its provided with cloud scheduler and cloud run admin roles. On cloud run permissions tab the account is given cloud run invoker permission. The cloud run endpoint can be triggered on console and returns successfully. The cloud scheduler job is getting created if no authentication is required and when it sends a request cloud run returns 403 HTTP response. Command used is

gcloud beta scheduler jobs create http *job_name* --schedule="* * * * *" --uri="https://*cloud-run-app-name-*cno4ptsl2q-ew.a.run.app" --http-method=GET --oidc-service-account-email="*project_id_number*@cloudservices.gserviceaccount.com"

On Console when this command is run invalid argument error occurs. When I do it on console creating job failed Unknown Error

Answer 1

When you use OIDC authentication, you must specify "OIDC Audience" in your command if you didn't specify in URI.

Refer here to get more info about Cloud scheduler's OIDC audience flag.

It seems that your URI didn't include audience value.

Check attached link and retry creation job after add audience flag in your command.

This is my command which successed to create Cloud scheduler job

gcloud scheduler jobs create http deax-tweets-collection --schedule='* * * * *' \ --uri='https://job-name-cno4ptsl2q-ew.a.run.app' --http-method='GET' \ --oidc-service-account-email='XXXXX@project-id.iam.gserviceaccount.com' \ --oidc-token-audience='https://job-name-cno4ptsl2q-ew.a.run.app'

Answer 2

OIDC

needs the url in the AUD param, make sure you have it.

best would be to use OAUTH

OAUTH

you need only the service account and scope https://www.googleapis.com/auth/cloud-platform