Le 15 septembre 2026, tous les environnements Cloud Composer 1 et Cloud Composer 2 version 2.0.x atteindront leur fin de vie prévue et vous ne pourrez plus les utiliser. Nous vous recommandons de planifier la migration vers Cloud Composer 3.
Pour exécuter une application stratégique sur Cloud Composer, différentes responsabilités doivent être assumées par plusieurs groupes. Bien que cette liste ne soit pas exhaustive, ce document répertorie les responsabilités de Google et du client.
Responsabilités de Google
Le renforcement et l'application de correctifs aux composants de l'environnement Cloud Composer et à l'infrastructure sous-jacente, y compris le cluster Google Kubernetes Engine, la base de données Cloud SQL (qui héberge la base de données Airflow), Pub/Sub, Artifact Registry et d'autres éléments de l'environnement. Cela inclut notamment la mise à niveau automatique de l'infrastructure sous-jacente, y compris le cluster GKE et l'instance Cloud SQL d'un environnement.
Fournir des intégrations Google Cloud pour Identity and Access Management, Cloud Audit Logs et Cloud Key Management Service.
Limiter et consigner l'accès administrateur Google aux clusters des clients à des fins d'assistance contractuelle avec Access Transparency et Access Approval.
Publication d'informations sur les modifications incompatibles avec les versions antérieures entre les versions de Cloud Composer et d'Airflow dans les notes de version de Cloud Composer.
Mise à jour de la documentation Cloud Composer :
Description de toutes les fonctionnalités fournies par Cloud Composer.
Fournir des instructions de dépannage qui aident à maintenir les environnements en bon état.
Publication d'informations sur les problèmes connus et les solutions de contournement (le cas échéant).
Résoudre les incidents de sécurité critiques liés aux environnements Cloud Composer et aux images Airflow fournies par Cloud Composer (à l'exclusion des packages Python installés par le client) en fournissant de nouvelles versions d'environnement permettant de résoudre les incidents.
Dépannage des problèmes d'état de l'environnement Cloud Composer en fonction du forfait d'assistance du client.
Coopération avec la communauté Apache Airflow pour la maintenance et le développement des opérateurs Google Airflow.
Résoudre les problèmes et, si possible, les corriger dans les fonctionnalités de base d'Airflow.
Responsabilités du client
Mettez à niveau Cloud Composer et Airflow vers de nouvelles versions pour continuer à bénéficier de l'assistance produit et résoudre les problèmes de sécurité dès que le service Cloud Composer publie une version de Cloud Composer qui résout ces problèmes.
Maintenir le code des DAG pour qu'il reste compatible avec la version d'Airflow utilisée.
Conserver intacte la configuration du cluster GKE de l'environnement, en particulier sa fonctionnalité de mise à niveau automatique.
Maintenir les autorisations appropriées dans IAM pour le compte de service de l'environnement. En particulier, conservez les autorisations requises par l'agent Cloud Composer et le compte de service de l'environnement. Maintenir l'autorisation requise pour la clé CMEK utilisée pour le chiffrement de l'environnement Cloud Composer et la faire pivoter selon vos besoins.
Maintenir les autorisations appropriées dans IAM pour le bucket de l'environnement et le dépôt Artifact Registry où sont stockées les images de composants de Cloud Composer.
Maintenir les autorisations IAM appropriées pour un compte de service qui effectue des installations de packages PyPI. Pour en savoir plus, consultez la page Contrôle des accès.
Maintenir des autorisations appropriées pour les utilisateurs finaux dans IAM et la configuration du contrôle des accès à l'interface utilisateur d'Airflow.
Maintenir la taille de la base de données Airflow en dessous de 16 Go à l'aide du DAG de maintenance.
Résolvez tous les problèmes d'analyse DAG avant de créer des demandes d'assistance auprès du Cloud Customer Care.
Nommer correctement les DAG (par exemple, sans utiliser de caractères invisibles comme ESPACE ou TAB dans les noms de DAG) afin que les métriques puissent être correctement signalées pour les DAG.
Mettez à niveau le code des DAG afin qu'il n'utilise pas d'opérateurs obsolètes et migrez vers leurs alternatives à jour. Les opérateurs obsolètes peuvent être supprimés des fournisseurs Airflow, ce qui peut avoir un impact sur vos plans de mise à niveau vers une version ultérieure de Cloud Composer ou d'Airflow. Les opérateurs obsolètes ne sont pas non plus mis à jour et doivent être utilisés "tels quels".
Configurer les autorisations IAM appropriées lorsque vous utilisez des backends secrets tels que Secret Manager afin que le compte de service de l'environnement y ait accès.
Ajustez les paramètres de l'environnement Cloud Composer (tels que le processeur et la mémoire des composants Airflow) et les configurations Airflow pour répondre aux attentes en termes de performances et de charge des environnements Cloud Composer à l'aide du guide d'optimisation de Cloud Composer et du guide de scaling d'environnement.
Évitez de supprimer les autorisations requises par les comptes de service de l'agent et de l'environnement Cloud Composer (la suppression de ces autorisations peut entraîner l'échec des opérations de gestion ou des DAG et des tâches).
Évitez d'installer ou d'exécuter des composants supplémentaires dans le cluster GKE de l'environnement qui interfèrent avec les composants Cloud Composer et les empêchent de fonctionner correctement.
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/03 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/03 (UTC)."],[[["\u003cp\u003eGoogle is responsible for hardening, patching, and auto-upgrading the Cloud Composer environment's infrastructure, as well as protecting access and data encryption.\u003c/p\u003e\n"],["\u003cp\u003eCustomers are responsible for upgrading to new Cloud Composer and Airflow versions, maintaining DAG code compatibility, and managing IAM permissions for the environment's service account and related resources.\u003c/p\u003e\n"],["\u003cp\u003eGoogle will resolve critical security incidents in Cloud Composer and the Airflow images that they provide, while the customer is responsible for making sure that they upgrade to new versions when available.\u003c/p\u003e\n"],["\u003cp\u003eCustomers are responsible for keeping the size of the Airflow database below 16GB and resolving DAG parsing issues.\u003c/p\u003e\n"],["\u003cp\u003eCustomers must ensure proper IAM permissions are configured when using secret backends, and for services used for PyPI packages installations, and other end users.\u003c/p\u003e\n"]]],[],null,["# Cloud Composer shared responsibility model\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/shared-responsibility \"View this page for Cloud Composer 3\") \\| [Cloud Composer 2](/composer/docs/composer-2/shared-responsibility \"View this page for Cloud Composer 2\") \\| **Cloud Composer 1**\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nRunning a business-critical application on Cloud Composer requires\nmultiple parties to carry different responsibilities. While not an exhaustive\nlist, this document lists the responsibilities for both Google and the Customer\nsides.\n\nGoogle Responsibilities\n-----------------------\n\n- [Hardening](/container-optimized-os/docs/concepts/security) and\n [patching](/kubernetes-engine/docs/resources/security-patching) the Cloud Composer\n environment's components and underlying infrastructure, including\n Google Kubernetes Engine cluster, Cloud SQL database (that hosts the Airflow\n database), Pub/Sub, Artifact Registry and other environment\n elements. In particular, this includes auto-upgrading the underlying\n infrastructure, including the GKE cluster and\n Cloud SQL instance of an environment.\n\n | **Note:** Cloud Composer 1 is in the post-maintenance mode and new versions of Cloud Composer 1 with security fixes are no longer published. Migrate to Cloud Composer 2 to get the latest version updates with security improvements.\n- Protecting access to Cloud Composer environments through\n incorporating access control provided by IAM,\n [encrypting data at rest by default](/security/encryption-at-rest/default-encryption),\n providing [additional customer-managed storage encryption](/kubernetes-engine/docs/how-to/using-cmek),\n [encrypting data in transit](/security/encryption-in-transit).\n\n- Providing Google Cloud integrations for Identity and Access Management, Cloud Audit Logs\n and Cloud Key Management Service.\n\n- Restricting and logging Google administrative access to customers' clusters\n for contractual support purposes with\n [Access Transparency](/access-transparency) and\n [Access Approval](/cloud-provider-access-management/access-approval/docs/overview).\n\n- Publishing information about backward incompatible changes between\n Cloud Composer and Airflow versions in\n [Cloud Composer Release Notes](/composer/docs/release-notes).\n\n- Keeping Cloud Composer documentation up to date:\n\n - Providing description of all functionalities provided by\n Cloud Composer.\n\n - Providing troubleshooting instructions that help to keep environments in\n a healthy state.\n\n - Publishing information about known issues with workarounds (if they\n exist).\n\n- Resolving critical security incidents related to Cloud Composer\n environments and Airflow images provided by Cloud Composer\n (excluding customer-installed Python packages) by delivering new\n environment versions addressing the incidents.\n\n- Depending on customer's Support Plan, troubleshooting of\n Cloud Composer environment health issues.\n\n- Maintaining and expanding the functionality of the\n [Cloud Composer Terraform provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment).\n\n- Cooperating with the Apache Airflow community to maintain and develop\n [Google Airflow operators](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/operators/cloud/cloud_composer.html).\n\n | **Note:** Google won't fix or troubleshoot issues in operator providers for third-party services or products.\n- Troubleshooting and, if possible, fixing issues in Airflow core\n functionalities.\n\nCustomer responsibilities\n-------------------------\n\n- Upgrading to new Cloud Composer and Airflow versions to keep\n support for the product and to resolve security issues once\n Cloud Composer service publishes a Cloud Composer\n version that addresses the issues.\n\n- Maintaining the DAGs code to keep it compatible with the used Airflow version.\n\n- Keeping the environment's GKE cluster configuration intact,\n particularly including its auto-upgrade feature.\n\n- Maintaining proper permissions in IAM for the environment's\n service account. Particularly, keeping permissions required by the\n [Cloud Composer Agent](/composer/docs/composer-1/access-control#composer-sa) and the\n [environment's service account](/composer/docs/composer-1/access-control#service-account). Maintaining\n required permission for the CMEK key used for Cloud Composer\n environment encryption and rotating it according to your needs.\n\n | **Caution:** We recommend to [set up a user-managed service account](/composer/docs/composer-1/access-control#custom-service-account) for Cloud Composer environments that has only the required set of permissions that are necessary to run the environment and perform operations defined in your DAGs. The **Composer Worker** (`composer.worker`) role provides this required set of permissions in most cases. Add extra permissions to this service account only when it's necessary for the operation of your DAGs. \n |\n | Although we recommend against using this approach, if you don't specify an environment's service account, then your Cloud Composer environment uses the default Compute Engine service account. The default Compute Engine service account usually has the **Editor** basic role, which contains many more permissions than necessary to run Cloud Composer environments and thus creates a risk of DAGs using broader permissions than intended.\n- Maintaining proper permissions in IAM for the environment's\n bucket\n\n and Artifact Registry repository where Cloud Composer's component images are stored\n\n .\n\n | **Caution:** Users with read-write access to the following components:\n | - Your environment's bucket\n | - Artifact Registry repositories with container images used by: %Airflow components, `GKEPodOperator`, or `GKEStartPodOperator`\n |\n | can deploy their own versions of DAGs or container images to an environment\n | even without explicit Cloud Composer-related permissions.\n | These DAGs or images can be later executed in your environment\n | with the permissions of the Cloud Composer environment\n | service account.\n- Maintaining proper IAM permissions for a service account\n that performs PyPI packages installations. For more information, see\n [Access control](/composer/docs/composer-1/access-control#service-account-security).\n\n | **Caution:** Users with read-write access to the environment's bucket or those who can initiate PyPI packages installations can initate the process of building images on behalf of a service account which is used to perform such builds. This service account is called the environment's service account that is specified during the environment creation, It can be a user-provided service account, or the default service account.\n- Maintaining proper end user permissions in IAM and Airflow\n UI Access Control configuration.\n\n- Keeping Airflow database size below\n 16 GB through\n using the [maintenance DAG](/composer/docs/composer-1/cleanup-airflow-database).\n\n- Resolving all DAG parsing issues before raising support cases to\n Cloud Customer Care.\n\n- Naming DAGs in a proper way (for example, without using invisible characters\n like SPACE or TAB in DAG names) so that metrics can be reported correctly\n for DAGs.\n\n- Upgrade the code of DAGs so that it doesn't use deprecated operators and\n migrate to their up to date alternatives. Deprecated operators might be\n removed from Airflow providers, which might impact your plans to upgrade\n to a later Cloud Composer or Airflow version. The deprecated\n operators are also not maintained and they must be used 'as is'.\n\n- Configuring proper IAM permissions when using secret\n backends like Secret Manager so that the environment's\n service account has access to it.\n\n- Adjusting Cloud Composer environment parameters (such as CPU and\n memory for Airflow components) and Airflow configurations to meet\n performance and load expectations of Cloud Composer environments\n using\n [Cloud Composer optimization guide](/composer/docs/composer-2/optimize-environments)\n and [environment scaling guide](/composer/docs/composer-1/scale-environments).\n\n- Avoiding removing permissions required by Cloud Composer Agent and\n environment's service accounts (removing these permissions can lead either\n to failed management operations or to DAG and task failures).\n\n- Keeping\n [all services and APIs required by Cloud Composer](/composer/docs/composer-1/enable-composer-service#required-services)\n always enabled. These dependencies must have quotas configured at levels\n required for Cloud Composer.\n\n- Keeping Artifact Registry repositories that host container images used by\n Cloud Composer environments.\n\n- [Following recommendations and best practices](/composer/docs/composer-1/write-dags) for\n implementing DAGs.\n\n- Diagnosing DAG and task failures using instructions for\n [scheduler troubleshooting](/composer/docs/composer-1/troubleshooting-scheduling),\n [DAG troubleshooting](/composer/docs/composer-1/troubleshooting-dags) and\n [triggerer troubleshooting](/composer/docs/composer-2/troubleshooting-triggerer).\n\n- Avoiding installing or running additional components in the environment's\n GKE cluster that interfere with Cloud Composer\n components and prevent them from functioning correctly.\n\nWhat's next\n-----------\n\n- [Access control with IAM](/composer/docs/composer-1/access-control)\n- [Clean up the Airflow database](/composer/docs/composer-1/cleanup-airflow-database)\n- [Security overview](/composer/docs/composer-1/composer-security-overview)"]]
