Reputation: 109
CloudScheduler 403 Permission denied while creating
I am trying to create a Cron job programmatically in the CloudScheduler Google Cloud Platform using the following API explorer.
Reference: Cloud Scheduler Documentation
Even though I have given the user Owner permission and verified it in Policy Troubleshooter that it has cloudscheduler.jobs.create, I am still getting the following error.
{
"error": {
"code": 403,
"message": "The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.create\" for the resource \"projects/cloud-monitoring-saurav/locations/us-central\" (or the resource may not exist).",
"status": "PERMISSION_DENIED"
}
}
Upvotes: 9
Views: 4916
Answers (4)
Reputation: 3079
In my case the error was that I was using the PROJECT NUMBER instead of the PROJECT ID. I tried PROJECT NUMBER because I was getting the error Job name must be formatted: \"projects/\u003cPROJECT_ID\u003e/locations/\u003cLOCATION_ID\u003e/jobs/\u003cJOB_ID\u003e\. But it turned out that the name of the job must also contain the parent path. So it expects the parent and the name containing the parent like this:
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
parent = f'projects/{PROJECT_ID}/locations/us-central1'
job_name = f"{parent}/jobs/{job_name}"
job_body = {
"name": job_name,
"httpTarget": {
"headers": {
"X-Myheader-key": "Value"
},
"httpMethod": "GET",
"uri": f'https://foo.bar/pathh'
},
"schedule": "* * * * *"
}
response = service.projects().locations().jobs().create(parent=parent, body=job_body)
Upvotes: 0
Reputation: 153
In my case it required the permission: cloudscheduler.jobs.delete.
I found the role the by permission name: https://cloud.google.com/iam/docs/permissions-reference
It was Cloud Scheduler Admin (roles/cloudscheduler.admin)
Then I added it to my service account roles.
Upvotes: 0
Reputation: 176
I had the same issue. The problem was that the region i specified did not support the cloud scheduler. You seem to have the same issue: "us-central" is not suppported. Try "us-central1"
Upvotes: 6
Reputation: 3597
The error is caused by using a service account that does not have an IAM role that includes the permission cloudscheduler.jobs.create. An example role is roles/cloudscheduler.admin aka Cloud Scheduler Admin. I have the feeling that you have mixed the permission of the service account that you use with Cloud Scheduler (at runtime, when a job triggers something) and the permission of the account currently creating the job (aka your account for example).
You actually need two service accounts for the job to get created. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for the default Cloud Scheduler itself ( which is managed by Google)
Use an existing service account to be used for the call from Cloud Scheduler to your HTTP target or you can create a new service account for this purpose. The service account must belong to the same project as the one in which the Cloud Scheduler jobs are created. This is the client service account. Use this one when specifying the service account to generate the OAuth / OICD tokens. If your target is part of Google Cloud, like Cloud Functions/Cloud Run update your client service account by granting it the necessary IAM role (Cloud function invoker for cloud functions and Cloud Run Invoker for Cloud Run).The receiving service automatically verifies the generated token. If your target is outside of Google Cloud, the receiving service must manually verify the token.
The other service account is the default Cloud Scheduler service account which must also be present in your project and have the Cloud Scheduler Service Agent role granted to it. This is so it can generate header tokens on behalf of your client service account to authenticate to your target. The Cloud Scheduler service account with this role granted is automatically set up when you enable the Cloud Scheduler API, unless you enabled it prior to March 19, 2019, in which case you must add the role manually.
Note : Do not remove the service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com service account from your project, or its Cloud Scheduler Service Agent role. Doing so will result in 403 responses to endpoints requiring authentication, even if your job's service account has the appropriate role.
Upvotes: 2
Related Questions
- Getting permission denied error when calling Google cloud function from Cloud scheduler
- Error creating Job: googleapi: Error 403: lacks IAM permission
- GCP Cloud Scheduler API Issues
- Cloud Scheduler has Permission Denied when attempting to run a Cloud Run job
- PERMISSION_DENIED error when trying to run a Google Cloud Scheduler task
- Permissions denied for Google Cloud Scheduler
- 403 permission denied when invoking Google App Engine Admin API from Google Cloud Scheduler
- GCP Cloud Scheduler Permission Errors with Service Account
- Cloud Scheduler fails in HTTP Cloud Function
- Can't create job on GCP Cloud Scheduler