Pada 15 September 2026, semua lingkungan Cloud Composer 1 dan Cloud Composer 2 versi 2.0.x akan mencapai akhir masa pakainya yang direncanakan, dan Anda tidak akan dapat menggunakannya. Sebaiknya rencanakan migrasi ke Cloud Composer 3.
Jika Anda ingin menggunakan operator Airflow untuk berinteraksi dengan lingkungan Cloud Composer, termasuk lingkungan di project lain, lihat Memicu DAG di lingkungan dan project lain.
Sebaiknya akses resource dalam project Google Cloud lain dengan
cara berikut:
Di DAG, gunakan koneksi default yang telah dikonfigurasi sebelumnya di
lingkungan Anda.
Misalnya, koneksi google_cloud_default digunakan oleh banyak
operatorGoogle Cloud dan dikonfigurasi secara otomatis saat Anda
membuat lingkungan.
Berikan izin dan peran IAM tambahan ke
akun layanan lingkungan Anda, sehingga dapat
mengakses resource di project lain.
Menentukan akun layanan lingkungan Anda
Untuk menentukan akun layanan lingkungan Anda:
Konsol
Di Google Cloud console, buka halaman Environments.
Nilainya adalah alamat email, seperti
service-account-name@example-project.iam.gserviceaccount.com.
Memberikan peran dan izin IAM untuk mengakses resource di project lain
Akun layanan lingkungan Anda memerlukan izin untuk mengakses
resource di project lain. Peran dan izin ini dapat berbeda
berdasarkan resource yang ingin Anda akses.
Mengakses resource tertentu
Sebaiknya berikan peran dan izin untuk resource tertentu, seperti
satu bucket Cloud Storage yang berada di project lain. Dalam pendekatan
ini, Anda menggunakan akses berbasis resource dengan binding peran bersyarat.
Setelah memberikan izin dan peran yang diperlukan, Anda dapat mengakses resource di
project lain dengan koneksi Airflow default yang sama
yang Anda gunakan untuk mengakses resource di project tempat lingkungan Anda
berada.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-29 UTC."],[[["\u003cp\u003eThis document explains how to access Google Cloud resources located in a different project than your Cloud Composer environment.\u003c/p\u003e\n"],["\u003cp\u003eAccessing resources in another project is recommended to be done through the default connections preconfigured in your environment.\u003c/p\u003e\n"],["\u003cp\u003eThe service account associated with your Cloud Composer environment needs to be granted specific IAM roles and permissions to enable cross-project resource access.\u003c/p\u003e\n"],["\u003cp\u003eYou can determine your Cloud Composer environment's service account through the Google Cloud console or using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool.\u003c/p\u003e\n"],["\u003cp\u003ePermissions can be granted for access to either specific resources or to all resources of a certain type in the other Google Cloud Project.\u003c/p\u003e\n"]]],[],null,["\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/access-resources-in-another-project \"View this page for Cloud Composer 3\") \\| **Cloud Composer 2** \\| [Cloud Composer 1](/composer/docs/composer-1/access-resources-in-another-project \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to access resources that are located in a different\nGoogle Cloud project than your Cloud Composer environment.\n\nIf you want to use a service account from one project to run environments in\nanother project, see\n[Using a service account from another project](/composer/docs/composer-2/access-control#cross-project).\n\nIf you want to use Airflow operators to interact with Cloud Composer\nenvironments, including environments in other projects, see\n[Trigger DAGs in other environments and projects](/composer/docs/composer-2/trigger-dags-in-other-environments).\n\nWe recommend to access resources in other Google Cloud projects in the\nfollowing way:\n\n1. In your DAGs, use the default connections that are preconfigured in your\n environment.\n\n For example, the `google_cloud_default` connection is used by many\n Google Cloud operators and is automatically configured when you\n create an environment.\n2. Grant extra IAM permissions and roles to the\n [service account of your environment](/composer/docs/composer-2/access-control#service-account), so that it can\n access resources in a different project.\n\nDetermine the service account of your environment\n\nTo determine the service account of your environment: \n\nConsole\n\n1. In Google Cloud console, go to the **Environments** page.\n\n [Go to Environments](https://console.cloud.google.com/composer/environments)\n2. In the list of environments, click the name of your environment.\n The **Environment details** page opens.\n\n3. Go to the **Environment configuration** tab.\n\n4. The service account of your environment is listed in\n the **Service account** field.\n\n The value is an email address, such as\n `service-account-name@example-project.iam.gserviceaccount.com`.\n\ngcloud \n\n gcloud composer environments describe \u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --format=\"get(config.nodeConfig.serviceAccount)\"\n\nThe value is an email address, such as\n`service-account-name@example-project.iam.gserviceaccount.com`.\n\nGrant IAM roles and permissions to access resources in another project\n\nThe service account of your environment requires permissions to access\nresources in another project. These roles and permissions can be different\nbased on the resource that you want to access.\n\nAccess a specific resource\n\nWe recommend to grant roles and permissions for specific resources, such as a\nsingle Cloud Storage bucket located in a different project. In this\napproach, you use resource-based access with conditional role bindings.\n\nTo access a specific resource:\n\n1. Follow the [Configure resource-based access](/iam/docs/configuring-resource-based-access) guide.\n2. When granting roles and permissions, specify the [service account of your environment](#view-service-account) as a principal.\n\nAccess a resource type\n\nAs an alternative, you can grant roles and permissions based on the resource\ntype, such as all Cloud Storage buckets located in a different\nproject.\n\nTo access a resource type:\n\n1. Follow the [Manage access to other resources](/iam/docs/manage-access-other-resources) guide.\n2. When granting roles and permissions, specify the [service account of your environment](#view-service-account) as a principal.\n\nAfter you grant the required permissions and roles, you can access resources in\na different project with the same default Airflow connections\nthat you use to access resources in the project where your environment is\nlocated.\n\nWhat's next\n\n- [Access control with IAM](/composer/docs/composer-2/access-control)\n- [Manage Airflow connections](/composer/docs/composer-2/manage-airflow-connections)\n- [Configure resource location restrictions](/composer/docs/composer-2/configure-resource-location-restrictions)"]]
