Am 15. September 2026erreichen alle Cloud Composer 1- und Cloud Composer 2-Umgebungen der Version 2.0.x das geplante Ende des Lebenszyklus und können nicht mehr verwendet werden. Wir empfehlen, die Migration zu Cloud Composer 3 zu planen.
Für das Ausführen geschäftskritischer Anwendungen in Cloud Composer müssen mehrere Parteien unterschiedliche Verantwortlichkeiten übernehmen. In diesem Dokument sind die Verantwortlichkeiten für Google und den Kunden aufgeführt. Die Liste ist jedoch nicht vollständig.
Verantwortlichkeiten von Google
Härtung und Patchen der Komponenten und der zugrunde liegenden Infrastruktur der Cloud Composer-Umgebung, einschließlich Google Kubernetes Engine-Cluster, Cloud SQL-Datenbank (die die Airflow-Datenbank hostet), Pub/Sub, Artifact Registry und anderer Umgebungselemente. Dazu gehört insbesondere das automatische Upgrade der zugrunde liegenden Infrastruktur, einschließlich des GKE-Cluster und der Cloud SQL-Instanz einer Umgebung.
Bereitstellung von Google Cloud Integrationen für Identity and Access Management, Cloud-Audit-Logs und Cloud Key Management Service.
Beschränken und Protokollieren des administrativen Zugriffs von Google auf Kundencluster mit Access Transparency und Access Approval für vertragliche Supportzwecke.
Informationen zu nicht abwärtskompatiblen Änderungen zwischen Cloud Composer- und Airflow-Versionen in den Cloud Composer-Releasehinweisen veröffentlichen.
Cloud Composer-Dokumentation auf dem neuesten Stand halten:
Beschreibung aller Funktionen von Cloud Composer.
Anleitungen zur Fehlerbehebung, die dazu beitragen, dass Umgebungen in einem fehlerfreien Zustand bleiben.
Informationen zu bekannten Problemen mit Umgehungsmöglichkeiten veröffentlichen (falls vorhanden)
Behebung kritischer Sicherheitsvorfälle im Zusammenhang mit Cloud Composer-Umgebungen und von Cloud Composer bereitgestellten Airflow-Images (ausgenommen vom Kunden installierte Python-Pakete) durch Bereitstellung neuer Umgebungsversionen, die die Vorfälle beheben.
Je nach Supportplan des Kunden Fehlerbehebung bei Problemen mit der Verfügbarkeit der Cloud Composer-Umgebung.
Zusammenarbeit mit der Apache Airflow-Community zur Pflege und Entwicklung von Google Airflow-Operatoren.
Fehlerbehebung und Behebung von Problemen mit den Hauptfunktionen von Airflow.
Pflichten der Kunden
Führen Sie ein Upgrade auf neue Cloud Composer- und Airflow-Versionen durch, um den Support für das Produkt aufrechtzuerhalten und Sicherheitsprobleme zu beheben, sobald der Cloud Composer-Dienst eine Cloud Composer-Version veröffentlicht, die die Probleme behebt.
Den DAG-Code so pflegen, dass er mit der verwendeten Airflow-Version kompatibel bleibt.
Die GKE-Clusterkonfiguration der Umgebung bleibt intakt, insbesondere die Funktion für automatische Upgrades.
Für das Dienstkonto der Umgebung müssen die richtigen Berechtigungen in IAM festgelegt sein. Insbesondere müssen die Berechtigungen beibehalten werden, die vom Cloud Composer-Agenten und vom Dienstkonto der Umgebung benötigt werden. Sie müssen die erforderlichen Berechtigungen für den CMEK-Schlüssel verwalten, der für die Verschlüsselung der Cloud Composer-Umgebung verwendet wird, und ihn nach Bedarf rotieren.
Die richtigen Berechtigungen in IAM für den Bucket der Umgebung und das Artifact Registry-Repository verwalten, in dem die Komponenten-Images von Cloud Composer gespeichert sind.
Die richtigen IAM-Berechtigungen für ein Dienstkonto verwalten, das PyPI-Paketinstallationen durchführt Weitere Informationen finden Sie unter Zugriffssteuerung.
Die richtigen Endnutzerberechtigungen in der IAM- und Airflow-UI-Zugriffssteuerungskonfiguration beibehalten
Airflow-Datenbankgröße mithilfe des Wartungs-DAG unter 16 GB halten
Beheben Sie alle Probleme beim DAG-Parsen, bevor Sie Supportanfragen an Cloud Customer Care senden.
DAGs müssen richtig benannt werden, z. B. ohne unsichtbare Zeichen wie LEERZEICHEN oder TABELLENSÄTZE in DAG-Namen, damit Messwerte für DAGs korrekt erfasst werden können.
Aktualisieren Sie den Code von DAGs, damit keine veralteten Operatoren verwendet werden, und migrieren Sie zu den aktuellen Alternativen. Eingestellte Operatoren werden möglicherweise von Airflow-Anbietern entfernt. Das kann sich auf Ihre Pläne für ein Upgrade auf eine neuere Cloud Composer- oder Airflow-Version auswirken. Die eingestellten Operatoren werden nicht mehr gepflegt und müssen unverändert verwendet werden.
Konfigurieren Sie die richtigen IAM-Berechtigungen, wenn Sie Secret-Backends wie Secret Manager verwenden, damit das Dienstkonto der Umgebung darauf zugreifen kann.
Anpassen der Cloud Composer-Umgebungsparameter (z. B. CPU und Arbeitsspeicher für Airflow-Komponenten) und Airflow-Konfigurationen, um die Leistungs- und Lastanforderungen von Cloud Composer-Umgebungen zu erfüllen, mithilfe des Cloud Composer-Optimierungsleitfadens und des Leitfadens zur Umgebungsskalierung
Entfernen Sie keine Berechtigungen, die vom Cloud Composer-Agenten und den Dienstkonten der Umgebung benötigt werden. Das Entfernen dieser Berechtigungen kann zu fehlgeschlagenen Verwaltungsvorgängen oder zu DAG- und Aufgabenausfällen führen.
Vermeiden Sie die Installation oder Ausführung zusätzlicher Komponenten im GKE-Cluster der Umgebung, die die Cloud Composer-Komponenten beeinträchtigen und ihre ordnungsgemäße Funktion verhindern.
[[["Leicht verständlich","easyToUnderstand","thumb-up"],["Mein Problem wurde gelöst","solvedMyProblem","thumb-up"],["Sonstiges","otherUp","thumb-up"]],[["Schwer verständlich","hardToUnderstand","thumb-down"],["Informationen oder Beispielcode falsch","incorrectInformationOrSampleCode","thumb-down"],["Benötigte Informationen/Beispiele nicht gefunden","missingTheInformationSamplesINeed","thumb-down"],["Problem mit der Übersetzung","translationIssue","thumb-down"],["Sonstiges","otherDown","thumb-down"]],["Zuletzt aktualisiert: 2025-08-29 (UTC)."],[[["\u003cp\u003eGoogle is responsible for hardening, patching, and auto-upgrading the Cloud Composer environment's infrastructure, as well as ensuring data encryption and providing access control.\u003c/p\u003e\n"],["\u003cp\u003eCustomers are responsible for upgrading to new Cloud Composer and Airflow versions, maintaining DAG code compatibility, and keeping the environment's GKE cluster configuration intact.\u003c/p\u003e\n"],["\u003cp\u003eCustomers must also manage IAM permissions for various service accounts, the environment's bucket, and Artifact Registry, and also for any processes related to PyPI packages installation.\u003c/p\u003e\n"],["\u003cp\u003eMaintaining proper end-user permissions, managing the Airflow database size, and resolving DAG parsing issues before contacting support are customer responsibilities.\u003c/p\u003e\n"],["\u003cp\u003eCustomers must adhere to the proper permissions, keep required services enabled and follow the recommendations and best practices for implementing DAGs, also adjusting environment parameters and diagnosing DAG failures.\u003c/p\u003e\n"]]],[],null,["# Cloud Composer shared responsibility model\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/shared-responsibility \"View this page for Cloud Composer 3\") \\| **Cloud Composer 2** \\| [Cloud Composer 1](/composer/docs/composer-1/shared-responsibility \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nRunning a business-critical application on Cloud Composer requires\nmultiple parties to carry different responsibilities. While not an exhaustive\nlist, this document lists the responsibilities for both Google and the Customer\nsides.\n\nGoogle Responsibilities\n-----------------------\n\n- [Hardening](/container-optimized-os/docs/concepts/security) and\n [patching](/kubernetes-engine/docs/resources/security-patching) the Cloud Composer\n environment's components and underlying infrastructure, including\n Google Kubernetes Engine cluster, Cloud SQL database (that hosts the Airflow\n database), Pub/Sub, Artifact Registry and other environment\n elements. In particular, this includes auto-upgrading the underlying\n infrastructure, including the GKE cluster and\n Cloud SQL instance of an environment.\n\n | **Note:** Cloud Composer 1 is in the post-maintenance mode and new versions of Cloud Composer 1 with security fixes are no longer published. Migrate to Cloud Composer 2 to get the latest version updates with security improvements.\n- Protecting access to Cloud Composer environments through\n incorporating access control provided by IAM,\n [encrypting data at rest by default](/security/encryption-at-rest/default-encryption),\n providing [additional customer-managed storage encryption](/kubernetes-engine/docs/how-to/using-cmek),\n [encrypting data in transit](/security/encryption-in-transit).\n\n- Providing Google Cloud integrations for Identity and Access Management, Cloud Audit Logs\n and Cloud Key Management Service.\n\n- Restricting and logging Google administrative access to customers' clusters\n for contractual support purposes with\n [Access Transparency](/access-transparency) and\n [Access Approval](/cloud-provider-access-management/access-approval/docs/overview).\n\n- Publishing information about backward incompatible changes between\n Cloud Composer and Airflow versions in\n [Cloud Composer Release Notes](/composer/docs/release-notes).\n\n- Keeping Cloud Composer documentation up to date:\n\n - Providing description of all functionalities provided by\n Cloud Composer.\n\n - Providing troubleshooting instructions that help to keep environments in\n a healthy state.\n\n - Publishing information about known issues with workarounds (if they\n exist).\n\n- Resolving critical security incidents related to Cloud Composer\n environments and Airflow images provided by Cloud Composer\n (excluding customer-installed Python packages) by delivering new\n environment versions addressing the incidents.\n\n- Depending on customer's Support Plan, troubleshooting of\n Cloud Composer environment health issues.\n\n- Maintaining and expanding the functionality of the\n [Cloud Composer Terraform provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment).\n\n- Cooperating with the Apache Airflow community to maintain and develop\n [Google Airflow operators](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/operators/cloud/cloud_composer.html).\n\n | **Note:** Google won't fix or troubleshoot issues in operator providers for third-party services or products.\n- Troubleshooting and, if possible, fixing issues in Airflow core\n functionalities.\n\nCustomer responsibilities\n-------------------------\n\n- Upgrading to new Cloud Composer and Airflow versions to keep\n support for the product and to resolve security issues once\n Cloud Composer service publishes a Cloud Composer\n version that addresses the issues.\n\n- Maintaining the DAGs code to keep it compatible with the used Airflow version.\n\n- Keeping the environment's GKE cluster configuration intact,\n particularly including its auto-upgrade feature.\n\n- Maintaining proper permissions in IAM for the environment's\n service account. Particularly, keeping permissions required by the\n [Cloud Composer Agent](/composer/docs/composer-2/access-control#composer-sa) and the\n [environment's service account](/composer/docs/composer-2/access-control#service-account). Maintaining\n required permission for the CMEK key used for Cloud Composer\n environment encryption and rotating it according to your needs.\n\n | **Caution:** We recommend to [set up a user-managed service account](/composer/docs/composer-2/access-control#custom-service-account) for Cloud Composer environments that has only the required set of permissions that are necessary to run the environment and perform operations defined in your DAGs. The **Composer Worker** (`composer.worker`) role provides this required set of permissions in most cases. Add extra permissions to this service account only when it's necessary for the operation of your DAGs. \n |\n | Although we recommend against using this approach, if you don't specify an environment's service account, then your Cloud Composer environment uses the default Compute Engine service account. The default Compute Engine service account usually has the **Editor** basic role, which contains many more permissions than necessary to run Cloud Composer environments and thus creates a risk of DAGs using broader permissions than intended.\n- Maintaining proper permissions in IAM for the environment's\n bucket\n\n and Artifact Registry repository where Cloud Composer's component images are stored\n\n .\n\n | **Caution:** Users with read-write access to the following components:\n | - Your environment's bucket\n | - Artifact Registry repositories with container images used by: %Airflow components, `GKEPodOperator`, or `GKEStartPodOperator`\n |\n | can deploy their own versions of DAGs or container images to an environment\n | even without explicit Cloud Composer-related permissions.\n | These DAGs or images can be later executed in your environment\n | with the permissions of the Cloud Composer environment\n | service account.\n- Maintaining proper IAM permissions for a service account\n that performs PyPI packages installations. For more information, see\n [Access control](/composer/docs/composer-2/access-control#service-account-security).\n\n | **Caution:** Users with read-write access to the environment's bucket or those who can initiate PyPI packages installations can initate the process of building images on behalf of a service account which is used to perform such builds. This service account is called the environment's service account that is specified during the environment creation, It can be a user-provided service account, or the default service account.\n- Maintaining proper end user permissions in IAM and Airflow\n UI Access Control configuration.\n\n- Keeping Airflow database size below\n 16 GB through\n using the [maintenance DAG](/composer/docs/composer-2/cleanup-airflow-database).\n\n- Resolving all DAG parsing issues before raising support cases to\n Cloud Customer Care.\n\n- Naming DAGs in a proper way (for example, without using invisible characters\n like SPACE or TAB in DAG names) so that metrics can be reported correctly\n for DAGs.\n\n- Upgrade the code of DAGs so that it doesn't use deprecated operators and\n migrate to their up to date alternatives. Deprecated operators might be\n removed from Airflow providers, which might impact your plans to upgrade\n to a later Cloud Composer or Airflow version. The deprecated\n operators are also not maintained and they must be used 'as is'.\n\n- Configuring proper IAM permissions when using secret\n backends like Secret Manager so that the environment's\n service account has access to it.\n\n- Adjusting Cloud Composer environment parameters (such as CPU and\n memory for Airflow components) and Airflow configurations to meet\n performance and load expectations of Cloud Composer environments\n using\n [Cloud Composer optimization guide](/composer/docs/composer-2/optimize-environments)\n and [environment scaling guide](/composer/docs/composer-2/scale-environments).\n\n- Avoiding removing permissions required by Cloud Composer Agent and\n environment's service accounts (removing these permissions can lead either\n to failed management operations or to DAG and task failures).\n\n- Keeping\n [all services and APIs required by Cloud Composer](/composer/docs/composer-2/enable-composer-service#required-services)\n always enabled. These dependencies must have quotas configured at levels\n required for Cloud Composer.\n\n- Keeping Artifact Registry repositories that host container images used by\n Cloud Composer environments.\n\n- [Following recommendations and best practices](/composer/docs/composer-2/write-dags) for\n implementing DAGs.\n\n- Diagnosing DAG and task failures using instructions for\n [scheduler troubleshooting](/composer/docs/composer-2/troubleshooting-scheduling),\n [DAG troubleshooting](/composer/docs/composer-2/troubleshooting-dags) and\n [triggerer troubleshooting](/composer/docs/composer-2/troubleshooting-triggerer).\n\n- Avoiding installing or running additional components in the environment's\n GKE cluster that interfere with Cloud Composer\n components and prevent them from functioning correctly.\n\nWhat's next\n-----------\n\n- [Access control with IAM](/composer/docs/composer-2/access-control)\n- [Clean up the Airflow database](/composer/docs/composer-2/cleanup-airflow-database)\n- [Security overview](/composer/docs/composer-2/composer-security-overview)"]]
