前言
Cloud Scheduler 有個進階的功能, 可以設定當排程被觸發的時候, 必須先取得指定的 IAM 身份, 才能去打指定的 Cloud Run 或是 Cloud Function 上的服務整體的流程大致如下圖
- Cloud Scheduler 發出 POST 請求取得 Token
- Cloud IAM 回傳 Token
- Cloud Scheduler 帶著 Token 打去打 Cloud Run 上的服務
%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%222%22%20style%3D%22ellipse%3BwhiteSpace%3Dwrap%3Bhtml%3D1%3Baspect%3Dfixed%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%22206%22%20y%3D%22197.5%22%20width%3D%2219%22%20height%3D%2219%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3E
若部署完後在 Log 頁面出現 PERMISSION_DENIED 的話該如何處理???
{
"jobName": "projects/cloud-833005/locations/us-central1/jobs/sync_usr",
"targetType": "HTTP",
"url": "https://ukrjq-uc.a.run.app/api/job/load",
"status": "PERMISSION_DENIED",
"@type": "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"
}
原因
Cloud Scheduler 沒有 iam.serviceAccounts.getOpenIdToken 的權限, 所以 Cloud Scheduler 發給 Cloud IAM 的 POST 請求被拒絕了解決方法
打開Cloud Shell執行以下的指令提升 Cloud Scheduler 的服務帳號的權限至 Cloud Scheduler Service Agent 的角色
# Please change [YOUR_PROJECT_ID] to your project id
# Get project number
PROJECT_NUM=$(gcloud projects describe [YOUR_PROJECT_ID] --format='value(projectNumber)')
# Grant permission
gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] --member serviceAccount:service-$PROJECT_NUM@gcp-sa-cloudscheduler.iam.gserviceaccount.com --role roles/cloudscheduler.serviceAgent
REF
如何設定Cloud Scheduler定期去觸發Cloud Run: Setting up Cloud Scheduler to Trigger Cloud-Run
https://cloud.google.com/iam/docs/understanding-roles#cloud-scheduler-roles
https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken?hl=zh-tw&authuser=0
https://cloud.google.com/scheduler/docs/http-target-auth#using-gcloud_1
留言
張貼留言