Login/Register
CloudScheduler 403 Permission denied while creating
Asked Answered
Solved google-cloud-platformgoogle-apis-explorergoogle-cloud-scheduler
A

4

9

I am trying to create a Cron job programmatically in the CloudScheduler Google Cloud Platform using the following API explorer.

Reference: Cloud Scheduler Documentation

Even though I have given the user Owner permission and verified it in Policy Troubleshooter that it has cloudscheduler.jobs.create, I am still getting the following error.

{
  "error": {
    "code": 403,
    "message": "The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.create\" for the resource \"projects/cloud-monitoring-saurav/locations/us-central\" (or the resource may not exist).",
    "status": "PERMISSION_DENIED"
  }
}
Ancestral answered 16/12, 2021 at 9:18 Comment(2)
How do you try the creation? Directly from API Explorer? In your code? with CURL? – Philadelphia
I tried directly from the API Explorer as well as code. I tried two different projects and was able to run successfully in one of the projects doing the exact same thing. – Ancestral
D
6

I had the same issue. The problem was that the region i specified did not support the cloud scheduler. You seem to have the same issue: "us-central" is not suppported. Try "us-central1"

Diapedesis answered 24/6, 2022 at 12:10 Comment(1)
Wow, I wasted so much time looking at IAM roles and permissions just to now realize that Scheduler is not available in my default region. Thanks for the clear errors Google πŸ€¦πŸ»β€β™‚οΈ – Roughandready
F
2

The error is caused by using a service account that does not have an IAM role that includes the permission cloudscheduler.jobs.create. An example role is roles/cloudscheduler.admin aka Cloud Scheduler Admin. I have the feeling that you have mixed the permission of the service account that you use with Cloud Scheduler (at runtime, when a job triggers something) and the permission of the account currently creating the job (aka your account for example).

You actually need two service accounts for the job to get created. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for the default Cloud Scheduler itself ( which is managed by Google)

  1. Use an existing service account to be used for the call from Cloud Scheduler to your HTTP target or you can create a new service account for this purpose. The service account must belong to the same project as the one in which the Cloud Scheduler jobs are created. This is the client service account. Use this one when specifying the service account to generate the OAuth / OICD tokens. If your target is part of Google Cloud, like Cloud Functions/Cloud Run update your client service account by granting it the necessary IAM role (Cloud function invoker for cloud functions and Cloud Run Invoker for Cloud Run).The receiving service automatically verifies the generated token. If your target is outside of Google Cloud, the receiving service must manually verify the token.

  2. The other service account is the default Cloud Scheduler service account which must also be present in your project and have the Cloud Scheduler Service Agent role granted to it. This is so it can generate header tokens on behalf of your client service account to authenticate to your target. The Cloud Scheduler service account with this role granted is automatically set up when you enable the Cloud Scheduler API, unless you enabled it prior to March 19, 2019, in which case you must add the role manually.

Note : Do not remove the service-YOUR_PROJECT_NUMBER@gcp-sa-cloudscheduler.iam.gserviceaccount.com service account from your project, or its Cloud Scheduler Service Agent role. Doing so will result in 403 responses to endpoints requiring authentication, even if your job's service account has the appropriate role.

Freeness answered 16/12, 2021 at 14:42 Comment(3)
I verified that I indeed have both service accounts with the necessary permissions. I did the exact same thing in another project and was able to do it without any problems. – Ancestral
Strange that it did not work in this project and glad, that you were able to solve it in another project doing the same thing. I do not have answer for this discrepancy however if you feel my answer was of any help to you/community, please click on the upvote button on the left of my answer. Thanks and have a great day ahead! – Freeness
I am the project owner and I can create a Job with gcloud scheduler jobs create http command. But I get the error "403 Permission denied" when using python with the same credentials generated with application default login gcloud auth application-default login – Overstrung
E
0

In my case it required the permission: cloudscheduler.jobs.delete.

I found the role the by permission name: https://cloud.google.com/iam/docs/permissions-reference

It was Cloud Scheduler Admin (roles/cloudscheduler.admin)

Then I added it to my service account roles.

Erigeron answered 19/9, 2022 at 11:19 Comment(0)
O
0

In my case the error was that I was using the PROJECT NUMBER instead of the PROJECT ID. I tried PROJECT NUMBER because I was getting the error Job name must be formatted: \"projects/\u003cPROJECT_ID\u003e/locations/\u003cLOCATION_ID\u003e/jobs/\u003cJOB_ID\u003e\. But it turned out that the name of the job must also contain the parent path. So it expects the parent and the name containing the parent like this:

from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()

parent = f'projects/{PROJECT_ID}/locations/us-central1'
job_name = f"{parent}/jobs/{job_name}"
job_body = {
    "name": job_name,
    "httpTarget": {
        "headers": {
            "X-Myheader-key": "Value"
        },
        "httpMethod": "GET",
        "uri": f'https://foo.bar/pathh'
    },
    "schedule": "* * * * *"
}
response = service.projects().locations().jobs().create(parent=parent, body=job_body)
Overstrung answered 23/3, 2023 at 21:5 Comment(0)

© 2022 - 2024 β€” McMap. All rights reserved.