How to schedule http invocation of authenticated cloud function?

Question

I have a sort-of infrequently used cloud function that has a slow cold start latency. I want to reduce this latency by keeping the function warm. This function is normally only called by an app engine app, so it has restricted Cloud Invoker permissions. Cloud Scheduler seems like a good candidate for pinging the function to keep it warm. It seems that direct http invocation of the function is necessary. Even though the common convention is to schedule functions useing pub/sub, a single function can't be both http-triggered and pubsub-triggered.

I set my Cloud Scheduler job as follows, but still getting PERMISSION_DENIED error when it runs. Is something configured wrong, or is Cloud Scheduler not able to call an authentication function directly over http? One suspicion is that the Audience parameter is not really the "target_audience" parameter that Cloud Functions expects, but the standard "aud" parameter.

Answer 1

There are several potential problems to investigate:

1) Do you have the permission iam.serviceAccounts.actAs for the service account?

When Cloud Scheduler creates tokens from a service account, it needs the permission iam.serviceAccounts.actAs. This is in the role roles/iam.serviceAccountUser. Add this role to the Cloud Scheduler Service Agent (notice the word Agent).

2) Is Cloud Run allowing this service account permissions?

Unless you have enabled the allUsers you need to add the service account to Cloud Run. This is in the "Show Info Panel" under the "Permissions" tab. You can also add this via the CLI with the --service-account command-line option.