Subject: Permission Denied Error with Cloud Scheduler Trying to Trigger Google Workflows

Hello,

I am encountering a “Permission Denied” error when trying to trigger a Google Workflow from a Cloud Scheduler job. Despite configuring the necessary roles and permissions, the job fails to execute. Below are the details of my setup and what I have tried so far:

Despite these settings, the execution logs in Cloud Logging indicate a “PERMISSION DENIED” error. The exact log output is as follows:

{
“insertId”: “16r0g0jfbinms5”,
“jsonPayload”: {
“jobName”: “projects/gld-sbx-dataoffice-01-daa9/locations/europe-west1/jobs/actualisation_du_classement”,
“url”: “https://europe-west1-gld-sbx-dataoffice-01-daa9.cloudfunctions.net/crea_table_classement”,
@type”: “type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished”,
“status”: “PERMISSION_DENIED”,
“debugInfo”: “URL_ERROR-ERROR_OTHER. Original HTTP response code number = 403”,
“targetType”: “HTTP”
},
“httpRequest”: {
“status”: 403
},
“resource”: {
“type”: “cloud_scheduler_job”,
“labels”: {
“project_id”: “gld-sbx-dataoffice-01-daa9”,
“location”: “europe-west1”,
“job_id”: “actualisation_du_classement”
}
},
“timestamp”: “2024-10-01T16:44:05.776865155Z”,
“severity”: “ERROR”,
“logName”: “projects/gld-sbx-dataoffice-01-daa9/logs/cloudscheduler.googleapis.com%2Fexecutions”,
“receiveTimestamp”: “2024-10-01T16:44:05.776865155Z”
}

I’ve also manually triggered the workflow using the same service account and it executes without any issues.

Could anyone help identify what might be missing or misconfigured in my setup? Any insights or suggestions would be greatly appreciated.

Thank you!

For additionalinformation i have follow this tutorial :https://www.youtube.com/watch?v=t7e0dNSCmzI

to ensure the service account is writing to the log explorer - can you add logging.logWriter.

I’d also you might give the Scheduler service agent account (service-PROJECT_NUMBER @gc -sa-cloudscheduler.iam.gserviceaccount.com) iam.serviceAccounts.actAs permission to the Functions service agent account (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) if as it is invoking - if you want the function to trigger the schedule you’d give the function service account service agent permission to scheduler service agent.

see

https://cloud.google.com/scheduler/docs/http-target-auth#set_up_the_service_account as a reference

I try what you said but it’s not working. Can i provide you more informations for a better help ?