Fix GCP Cloud Run Run Schedule Job Errors
When working with GCP Cloud Run, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with run schedule job and shows the exact fix.
A Common Mistake
Creating a Cloud Scheduler job to trigger a Cloud Run job but with incorrect authentication setup, causing the scheduled trigger to fail with 403 errors.
The incorrect command:
gcloud scheduler jobs create http my-schedule --schedule="0 */2 * * *" --uri=https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/my-project/jobs/my-job:run
Error output:
Created scheduler job.
When the schedule triggers:
POST https://us-central1-run.googleapis.com/...
403 Forbidden: The Cloud Scheduler service account does not have permission to run the job.
The Correct Approach
The right way to configure run schedule job in GCP Cloud Run:
gcloud run jobs add-iam-policy-binding my-job --member=serviceAccount:my-project@appspot.gserviceaccount.com --role=roles/run.invoker --region=us-central1 && gcloud scheduler jobs create http my-schedule --schedule="0 */2 * * *" --uri=https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/my-project/jobs/my-job:run --oauth-service-account-email=my-project@appspot.gserviceaccount.com
Successful result:
Created scheduler job with auth.
The App Engine default SA has roles/run.invoker on the job. The schedule triggers successfully every 2 hours:
Execution my-job-xxxxx started.
How to Prevent This
Grant roles/run.invoker to the scheduler's service account. Use --oauth-service-account-email for authentication. Verify with gcloud scheduler jobs describe. For cross-project scheduling, use --oidc-service-account-email. Test the schedule with gcloud scheduler jobs run my-schedule --schedule-now.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro