Access environments with Workforce Identity Federation

Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1

This page describes how to configure user access to your Cloud Composer environment with Workforce Identity Federation.

About Workforce Identity Federation in Cloud Composer

Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using IAM, so that the users can access Google Cloud services. For more information about Workforce Identity Federation, see Workforce Identity Federation.

If Workforce Identity Federation is configured in your project, you can access your environment in the following ways:

  • Cloud Composer page in Google Cloud console
  • Airflow UI
  • Google Cloud CLI, including running Airflow CLI commands
  • Cloud Composer API
  • Airflow REST API

Before you begin

  • All new Cloud Composer environments created starting from version 2.1.11 and Airflow version 2.4.3 support Workforce Identity Federation. You don't need to configure your environment in any specific way to support Workforce Identity Federation.

  • Environments created before version 2.1.11 and Airflow version 2.4.3 and upgraded to later versions don't support Workforce Identity Federation. You can check if your environment supports Workforce Identity Federation.

  • Cloud Storage limitations for Workforce Identity Federation apply to the environment's bucket. In particular, you must enable uniform bucket-level access on the environment's bucket to let external identities upload their DAGs and files to this bucket.

  • Emails sent from Airflow only include the Airflow UI URL for Google accounts. Because external identities can only access Airflow UI through the Airflow UI URL for external identities, the link must be adjusted (changed to the URL for external identities).

Set up access to your environment with Workforce Identity Federation

This section describes steps to configure access for external identities to your Cloud Composer environment.

Configure your identity provider

Configure Workforce Identity Federation for your identity provider by following the Configure Workforce Identity Federation guide.

Grant IAM roles to external identities

In Identity and Access Management, grant IAM roles to sets of external identities, so that they can access and interact with your environment:

  • For a list of roles specific to Cloud Composer, see Grant roles to users. For example, the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role allows a user to view environments, access the Airflow UI, view and trigger DAGs from the DAG UI, and view objects in environment buckets.

  • For instructions about assigning these roles to external users, see Grant IAM roles to principals.

  • For a format of representing external identities in IAM policies, see Represent workforce pool users in IAM policies.

Check that new users receive correct Airflow roles in Airflow UI Access Control

Cloud Composer handles Airflow users for external identities in the same way as for Google account users. Instead of an email address, a principal identifier is used. When an external identity accesses Airflow UI for the first time, an Airflow user is automatically registered in the Airflow role-based access control system with the default role.

Check that new users receive correct Airflow roles in Airflow UI Access Control. You have two options:

  • Let external identities receive the default role after they access Airflow UI for the first time. If required, Airflow admin users can then change this role to a different one.
  • Preregister external identities with a set of required roles by adding Airflow user records with the user name and email fields set to their principal identifiers. In this way, external identities get the role that you assigned to them, not the default role.

Check if an environment supports Workforce Identity Federation

To check if your environment supports Workforce Identity Federation, run the following Google Cloud CLI command. If the output shows a URI, then your environment supports Workforce Identity Federation.

gcloud composer environments describe ENVIRONMENT_NAME \
  --location LOCATION \
  --format="value(config.airflowByoidUri)"

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • LOCATION with the region where the environment is located.

Example:

gcloud composer environments describe example-environment \
  --location us-central1 \
  --format="value(config.airflowByoidUri)"

Access Cloud Composer page in Google Cloud console

Google Cloud Workforce Identity Federation console provides access to the Cloud Composer page.

From the Composer page in Google Cloud Workforce Identity Federation console, you can access the UI for managing environments, Cloud Composer logs, monitoring and DAG UI.

All links to Airflow UI in the federated console point to the Airflow UI access point for external identities.

Environments in versions earlier than 2.1.11 and or Airflow versions earlier than 2.4.3 might have their Airflow UI links marked as "Not available". This indicates that this environment doesn't support Workforce Identity Federation users in Airflow UI. Airflow UI for this environment can only be accessed with Google Accounts.

Access Airflow UI

Cloud Composer environments have two URLs for the Airflow UI: one for Google accounts and another for external identities. External identities must access Airflow UI through the URL for external identities.

  • The URL for external identities is https://<UNIQUE_ID>.composer.byoid.googleusercontent.com.

  • The URL for Google accounts is https://<UNIQUE_ID>.composer.googleusercontent.com.

Only users that are authenticated with external identities can access the URL for external identities. If a user visits the URL for external identities while not logged in, they are first redirected to the authentication portal where they specify their workforce pool provider name, then they are redirected to their identity provider to sign in, and finally they are redirected to the Airflow UI of the environment.

Access DAG UI in Google Cloud console

The DAG UI is available for external identity users as part of the federated console. You can control the access with IAM policies.

The Airflow role-based access in the environments with full Workforce Identity Federation support is also taken into account and can be used to limit which DAGs are visible for individual users by setting up roles, as described in Using Airflow UI Access Control.

Access Google Cloud CLI

To access your environment through Google Cloud CLI, external identities must do the following:

  1. Sign in with Google Cloud CLI using an external identity.
  2. Run gcloud composer environments commands.

Access Cloud Composer API

Cloud Composer API can be used with external identities to manage all Cloud Composer environments with the supported authentication methods such as OAuth tokens.

Access Airflow REST API

Airflow REST API is available at the endpoint for external identities with the supported authentication methods such as OAuth tokens.

To get the URL of the endpoint for external identities for your environment, run the following Google Cloud CLI command:

gcloud composer environments describe ENVIRONMENT_NAME \
  --location LOCATION \
  --format="value(config.airflowByoidUri)"

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • LOCATION with the region where the environment is located.

Example:

gcloud composer environments describe example-environment \
  --location us-central1 \
  --format="value(config.airflowByoidUri)"

What's next