Open MarkEdmondson1234 opened 3 years ago
Need to add the scheduler email as a role: https://cloud.google.com/run/docs/triggering/using-scheduler#command-line
auth_step <- cr_buildstep_gcloud(
args = c("gcloud",
"run", "services", "add-iam-policy-binding",
name,
sprintf("--member=serviceAccount:%s",cr_email_get()),
"--role=roles/run.invoker",
"--platform", "managed",
name),
id = "auth cloudrun",
...)
??
It seems impossible for the invoker for private Cloud Run to be the same email as the one deploying it (which is weird if you ask me - the error was "this@email does not have permission to act on behalf of this@email").
Down that rabbit hole the Cloud run deployment process (via cr_buildstep_run()
) will now create a dedicated service account for its own deployment and give it access. This brings the need for users to generate that email, which is by default called "my-app-invoker" - tried to explain in the docs
# for unauthenticated apps create a HttpTarget
run_me <- HttpTarget(
uri = "https://public-ewjogewawq-ew.a.run.app/echo?msg=blah",
http_method = "GET"
)
cr_schedule("cloud-run-scheduled", schedule = "16 4 * * *",
httpTarget = run_me)
# for authenticated Cloud Run apps - create with allowUnauthenticated=FALSE
cr_deploy_run("my-app", allowUnauthenticated = TRUE)
## End(Not run)
# deploying via R will help create a service email called my-app-cloudrun-invoker
cr_run_email("my-app")
## Not run:
# use that email to schedule the Cloud Run private micro-service
# schedule the endpoint
my_run_name <- "my-app"
my_app <- cr_run_get(my_run_name)
email <- cr_run_email(my_run_name)
endpoint <- paste0(my_app$status$url, "/fetch_stuff")
app_sched <- cr_run_schedule_http(endpoint,
http_method = "GET",
email = email)
cr_schedule("cloud-run-scheduled-1",
schedule = "4 16 * * *",
httpTarget = app_sched)
Maybe add the option to the "Schedule R script" gadget to have a plumber API endpoint as an option.