Unable to authenticate HTTP function call from Google Cloud Scheduler

Question

I have created an HTTP Google Cloud Function that does not allow unauthenticated requests.

I have created a service account in the project with one role: Cloud Functions Invoker.

This service account is listed as a principal for my http cloud function and shows to have that role: I have created a Cloud Scheduler Job to run this function.

In the job, I've specified that I want it to obtain an OIDC token for authenticating requests to the http function:

Whenever I trigger the job, it fails with a message indicating the request is unauthenticated:

Things I've tried:

1. Recreate the function
2. Recreate the job
3. Use a different user (the main service account user - that one doesn't work either)
4. Do a POST instead of a GET from the scheduler job (I've successfully created scheduled jobs for authenticated http functions before but this is the first time I've done a GET - just grasping at straws really)

Did I miss something? Any idea why it is coming back with the "Unauthenticated" message?

Answer 1

I revisited this today. My IAP protected HTTP function is expecting a query string parameter to be passed into it. The Cloud Platform Web UI automatically sets the audience to the same URL (including the parameter) when creating the Scheduled Job. I figured Google knows what they are doing, so I left it that way originally.

Out of desperation I tried removing this parameter from the audience and that made the authentication work properly.

So, I changed the audience from

https://<myProject>.cloudfunctions.net/myFunction?p=abc

to

https://<myProject>.cloudfunctions.net/myFunction