Fix GCP Cloud Run Run Scheduler Errors
When working with GCP Cloud Run, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with run scheduler and shows the exact fix.
A Common Mistake
Creating a Cloud Scheduler HTTP target that calls a Cloud Run service without authentication configuration, causing the scheduled invocation to fail with 403.
The incorrect command:
gcloud scheduler jobs create http my-job --schedule="0 * * * *" --uri=https://my-service-xxxxx-uc.a.run.app/run-task
Error output:
Created scheduler job.
Each hour:
HTTP request fails with 403 Forbidden.
Cloud Scheduler cannot authenticate to the private Cloud Run service. The job records a failure.
The Correct Approach
The right way to configure run scheduler in GCP Cloud Run:
gcloud run services add-iam-policy-binding my-service --member=serviceAccount:my-project@appspot.gserviceaccount.com --role=roles/run.invoker --region=us-central1 && gcloud scheduler jobs create http my-job --schedule="0 * * * *" --uri=https://my-service-xxxxx-uc.a.run.app/run-task --oidc-service-account-email=my-project@appspot.gserviceaccount.com --oidc-token-audience=https://my-service-xxxxx-uc.a.run.app
Successful result:
Created scheduler job with OIDC.
Scheduled invocations succeed. The Cloud Run service receives the OIDC token and verifies it. The job runs every hour successfully.
How to Prevent This
Use OIDC authentication for Cloud Scheduler -> Cloud Run. The audience (--oidc-token-audience) must match the Cloud Run service URL. Use the App Engine default SA or a custom SA with roles/run.invoker. Test with gcloud scheduler jobs run.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro