Find out which IAM account manually triggered a scheduled function

Question

I have a GCP Cloud function which runs on a schedule every morning. The logs show that it has been triggered off-schedule three other times in the last week, which I presume can only happen if someone has gone to the Cloud Scheduler page and clicked 'Run now' on that function. How can I find out who did this? The Logs Explorer doesn't show this information. (Heads will not roll, but IAM permissions may be stripped. Bonus points if it turns out to have been me.)

For scheduled functions, there are two sets of logs - one for the cloud function triggered by the schedule, and one for the Cloud Scheduler itself. In the logs for the Cloud Scheduler, only the daily schedule shows up, not the extra triggers.

Log of the function starting in the logs explorer for the Cloud Function:

{
  "textPayload": "Function execution started",
  "insertId": "REDACTED",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "region": "REDACTED",
      "function_name": "REDACTED",
      "project_id": "REDACTED"
    }
  },
  "timestamp": "2022-05-04T08:49:37.980952884Z",
  "severity": "DEBUG",
  "labels": {
    "execution_id": "REDACTED"
  },
  "logName": "projects/REDACTED/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
  "trace": "projects/REDACTED/traces/REDACTED",
  "receiveTimestamp": "2022-05-04T08:49:37.981500851Z"
}

Answer 1

If the trigger of your Cloud Function is http and without authorization, it will be very hard (or near impossible) to figure out who called it.

Additionally, it is possible there were not enough available instances when it was scheduled, and then the Cloud Function ran later by a retry.