El 15 de septiembre de 2026, todos los entornos de Cloud Composer 1 y Cloud Composer 2 versión 2.0.x alcanzarán el final de su ciclo de vida previsto, y no podrás usarlos. Te recomendamos que planifiques la migración a Cloud Composer 3.
El valor es una dirección de correo electrónico, como service-account-name@example-project.iam.gserviceaccount.com.
Otorga roles y permisos de IAM para acceder a recursos en otro proyecto
La cuenta de servicio de tu entorno requiere permisos para acceder a recursos en otro proyecto. Estos roles y permisos pueden variar según el recurso al que quieras acceder.
Accede a un recurso específico
Te recomendamos que otorgues roles y permisos para recursos específicos, como un solo bucket de Cloud Storage ubicado en un proyecto diferente. En este enfoque, usas el acceso basado en recursos con vinculaciones de roles condicionales.
Para acceder a un recurso específico, haz lo siguiente:
Después de otorgar los permisos y los roles necesarios, puedes acceder a los recursos en otro proyecto con las mismas conexiones predeterminadas de Airflow que usas para acceder a los recursos en el proyecto en el que se encuentra tu entorno.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-01 (UTC)"],[[["\u003cp\u003eThis page details how to access resources in a Google Cloud project different from your Cloud Composer 1 environment's project.\u003c/p\u003e\n"],["\u003cp\u003eThe recommended method involves utilizing preconfigured default connections in your DAGs, like \u003ccode\u003egoogle_cloud_default\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eYou must grant the service account of your Cloud Composer 1 environment the necessary IAM roles and permissions to access resources in the other project.\u003c/p\u003e\n"],["\u003cp\u003ePermissions can be granted either for specific resources (e.g., a particular Cloud Storage bucket) or for an entire resource type (e.g., all Cloud Storage buckets).\u003c/p\u003e\n"],["\u003cp\u003eAfter proper permissions are granted, you can access resources in the other project using the same default Airflow connections used within your environment's project.\u003c/p\u003e\n"]]],[],null,["\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/access-resources-in-another-project \"View this page for Cloud Composer 3\") \\| [Cloud Composer 2](/composer/docs/composer-2/access-resources-in-another-project \"View this page for Cloud Composer 2\") \\| **Cloud Composer 1**\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to access resources that are located in a different\nGoogle Cloud project than your Cloud Composer environment.\n\nIf you want to use a service account from one project to run environments in\nanother project, see\n[Using a service account from another project](/composer/docs/composer-1/access-control#cross-project).\n\nWe recommend to access resources in other Google Cloud projects in the\nfollowing way:\n\n1. In your DAGs, use the default connections that are preconfigured in your\n environment.\n\n For example, the `google_cloud_default` connection is used by many\n Google Cloud operators and is automatically configured when you\n create an environment.\n2. Grant extra IAM permissions and roles to the\n [service account of your environment](/composer/docs/composer-1/access-control#service-account), so that it can\n access resources in a different project.\n\nDetermine the service account of your environment\n\nTo determine the service account of your environment: \n\nConsole\n\n1. In Google Cloud console, go to the **Environments** page.\n\n [Go to Environments](https://console.cloud.google.com/composer/environments)\n2. In the list of environments, click the name of your environment.\n The **Environment details** page opens.\n\n3. Go to the **Environment configuration** tab.\n\n4. The service account of your environment is listed in\n the **Service account** field.\n\n The value is an email address, such as\n `service-account-name@example-project.iam.gserviceaccount.com`.\n\ngcloud \n\n gcloud composer environments describe \u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --format=\"get(config.nodeConfig.serviceAccount)\"\n\nThe value is an email address, such as\n`service-account-name@example-project.iam.gserviceaccount.com`.\n\nGrant IAM roles and permissions to access resources in another project\n\nThe service account of your environment requires permissions to access\nresources in another project. These roles and permissions can be different\nbased on the resource that you want to access.\n\nAccess a specific resource\n\nWe recommend to grant roles and permissions for specific resources, such as a\nsingle Cloud Storage bucket located in a different project. In this\napproach, you use resource-based access with conditional role bindings.\n\nTo access a specific resource:\n\n1. Follow the [Configure resource-based access](/iam/docs/configuring-resource-based-access) guide.\n2. When granting roles and permissions, specify the [service account of your environment](#view-service-account) as a principal.\n\nAccess a resource type\n\nAs an alternative, you can grant roles and permissions based on the resource\ntype, such as all Cloud Storage buckets located in a different\nproject.\n\nTo access a resource type:\n\n1. Follow the [Manage access to other resources](/iam/docs/manage-access-other-resources) guide.\n2. When granting roles and permissions, specify the [service account of your environment](#view-service-account) as a principal.\n\nAfter you grant the required permissions and roles, you can access resources in\na different project with the same default Airflow connections\nthat you use to access resources in the project where your environment is\nlocated.\n\nWhat's next\n\n- [Access control with IAM](/composer/docs/composer-1/access-control)\n- [Manage Airflow connections](/composer/docs/composer-1/manage-airflow-connections)\n- [Configure resource location restrictions](/composer/docs/composer-1/configure-resource-location-restrictions)"]]
