El 15 de septiembre del 2026, todos los entornos de Cloud Composer 1 y Cloud Composer 2 versión 2.0.x alcanzarán el final de su ciclo de vida previsto y no podrás usarlos. Te recomendamos que planifiques la migración a Cloud Composer 3.
Si quieres usar operadores de Airflow para interactuar con entornos de Cloud Composer, incluidos los de otros proyectos, consulta el artículo Activar DAGs en otros entornos y proyectos.
Le recomendamos que acceda a los recursos de otros proyectos de la siguiente manera: Google Cloud
En tus DAGs, usa las conexiones predeterminadas que estén preconfiguradas en tu entorno.
Por ejemplo, muchos operadores usan la conexión google_cloud_default y se configura automáticamente al crear un entorno.Google Cloud
Concede permisos y roles de gestión de identidades y accesos adicionales a la cuenta de servicio de tu entorno para que pueda acceder a los recursos de otro proyecto.
Determinar la cuenta de servicio de tu entorno
Para determinar la cuenta de servicio de tu entorno, sigue estos pasos:
Consola
En la Google Cloud consola, ve a la página Entornos.
El valor es una dirección de correo electrónico, como service-account-name@example-project.iam.gserviceaccount.com.
Otorgar roles y permisos de gestión de identidades y accesos para acceder a recursos de otro proyecto
La cuenta de servicio de tu entorno requiere permisos para acceder a recursos de otro proyecto. Estos roles y permisos pueden variar en función del recurso al que quieras acceder.
Acceder a un recurso específico
Te recomendamos que concedas roles y permisos para recursos específicos, como un solo segmento de Cloud Storage ubicado en otro proyecto. En este
enfoque, se usa el acceso basado en recursos con vinculaciones de roles condicionales.
Para acceder a un recurso concreto, sigue estos pasos:
Una vez que hayas concedido los permisos y roles necesarios, podrás acceder a los recursos de otro proyecto con las mismas conexiones predeterminadas de Airflow que usas para acceder a los recursos del proyecto en el que se encuentra tu entorno.
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-08-29 (UTC)."],[[["\u003cp\u003eThis document explains how to access resources in a different Google Cloud project from your Cloud Composer environment.\u003c/p\u003e\n"],["\u003cp\u003eThe recommended approach is to utilize the default connections in your DAGs and grant necessary IAM permissions to your environment's service account.\u003c/p\u003e\n"],["\u003cp\u003eYou can determine your environment's service account through the Google Cloud console or the gcloud command-line tool, which is listed in the service account field on the environments details page.\u003c/p\u003e\n"],["\u003cp\u003eIAM roles and permissions should be granted to the environment's service account to access resources in other projects, either for specific resources or for an entire resource type.\u003c/p\u003e\n"],["\u003cp\u003eAfter granting permissions, resources in other projects can be accessed using the same default Airflow connections as those within your environment's project.\u003c/p\u003e\n"]]],[],null,["\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n**Cloud Composer 3** \\| [Cloud Composer 2](/composer/docs/composer-2/access-resources-in-another-project \"View this page for Cloud Composer 2\") \\| [Cloud Composer 1](/composer/docs/composer-1/access-resources-in-another-project \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to access resources that are located in a different\nGoogle Cloud project than your Cloud Composer environment.\n\nIf you want to use a service account from one project to run environments in\nanother project, see\n[Using a service account from another project](/composer/docs/composer-3/access-control#cross-project).\n\nIf you want to use Airflow operators to interact with Cloud Composer\nenvironments, including environments in other projects, see\n[Trigger DAGs in other environments and projects](/composer/docs/composer-3/trigger-dags-in-other-environments).\n\nWe recommend to access resources in other Google Cloud projects in the\nfollowing way:\n\n1. In your DAGs, use the default connections that are preconfigured in your\n environment.\n\n For example, the `google_cloud_default` connection is used by many\n Google Cloud operators and is automatically configured when you\n create an environment.\n2. Grant extra IAM permissions and roles to the\n [service account of your environment](/composer/docs/composer-3/access-control#service-account), so that it can\n access resources in a different project.\n\nDetermine the service account of your environment\n\nTo determine the service account of your environment: \n\nConsole\n\n1. In Google Cloud console, go to the **Environments** page.\n\n [Go to Environments](https://console.cloud.google.com/composer/environments)\n2. In the list of environments, click the name of your environment.\n The **Environment details** page opens.\n\n3. Go to the **Environment configuration** tab.\n\n4. The service account of your environment is listed in\n the **Service account** field.\n\n The value is an email address, such as\n `service-account-name@example-project.iam.gserviceaccount.com`.\n\ngcloud \n\n gcloud composer environments describe \u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --format=\"get(config.nodeConfig.serviceAccount)\"\n\nThe value is an email address, such as\n`service-account-name@example-project.iam.gserviceaccount.com`.\n\nGrant IAM roles and permissions to access resources in another project\n\nThe service account of your environment requires permissions to access\nresources in another project. These roles and permissions can be different\nbased on the resource that you want to access.\n\nAccess a specific resource\n\nWe recommend to grant roles and permissions for specific resources, such as a\nsingle Cloud Storage bucket located in a different project. In this\napproach, you use resource-based access with conditional role bindings.\n\nTo access a specific resource:\n\n1. Follow the [Configure resource-based access](/iam/docs/configuring-resource-based-access) guide.\n2. When granting roles and permissions, specify the [service account of your environment](#view-service-account) as a principal.\n\nAccess a resource type\n\nAs an alternative, you can grant roles and permissions based on the resource\ntype, such as all Cloud Storage buckets located in a different\nproject.\n\nTo access a resource type:\n\n1. Follow the [Manage access to other resources](/iam/docs/manage-access-other-resources) guide.\n2. When granting roles and permissions, specify the [service account of your environment](#view-service-account) as a principal.\n\nAfter you grant the required permissions and roles, you can access resources in\na different project with the same default Airflow connections\nthat you use to access resources in the project where your environment is\nlocated.\n\nWhat's next\n\n- [Access control with IAM](/composer/docs/composer-3/access-control)\n- [Manage Airflow connections](/composer/docs/composer-3/manage-airflow-connections)\n- [Configure resource location restrictions](/composer/docs/composer-3/configure-resource-location-restrictions)"]]
