Em 15 de setembro de 2026, todos os ambientes do Cloud Composer 1 e da versão 2.0.x do Cloud Composer 2 vão atingir o fim da vida útil planejado e não poderão mais ser usados. Recomendamos planejar a migração para o Cloud Composer 3.
A execução de um aplicativo essencial para os negócios no Cloud Composer exige que várias partes tenham responsabilidades diferentes. Embora não seja uma lista
completa, este documento lista as responsabilidades do Google e do cliente.
Responsabilidades do Google
Proteção e
correção de bugs nos componentes e na infraestrutura subjacente do ambiente do Cloud Composer, incluindo
cluster do Google Kubernetes Engine, banco de dados do Cloud SQL (que hospeda o banco de dados do Airflow), Pub/Sub, Artifact Registry e outros elementos do ambiente. Isso inclui o upgrade automático da infraestrutura
subjacente, incluindo o cluster do GKE e a
instância do Cloud SQL de um ambiente.
Fornecer Google Cloud integrações para o Identity and Access Management, os registros de auditoria do Cloud
e o Cloud Key Management Service.
Restringir e registrar o acesso administrativo do Google aos clusters de clientes
para fins de suporte contratual com a
Transparência no acesso e a
Aprovação de acesso.
Publicação de informações sobre mudanças incompatíveis com versões anteriores entre
as versões do Cloud Composer e do Airflow nas
Notas da versão do Cloud Composer.
Mantenha a documentação do Cloud Composer atualizada:
Fornecer a descrição de todas as funcionalidades fornecidas pelo Cloud Composer.
Fornecer instruções de solução de problemas que ajudam a manter os ambientes em
um estado saudável.
Publicação de informações sobre problemas conhecidos com soluções alternativas (se
existirem).
Resolução de incidentes de segurança críticos relacionados a ambientes do Cloud Composer e imagens do Airflow fornecidas pelo Cloud Composer (exceto pacotes Python instalados pelo cliente) com a entrega de novas versões de ambiente que abordam os incidentes.
Dependendo do plano de suporte do cliente, a solução de problemas de integridade do ambiente do Cloud Composer.
Solucionar problemas e, se possível, corrigir problemas nas funcionalidades principais do Airflow.
Responsabilidades do cliente
Fazer upgrade para novas versões do Cloud Composer e do Airflow para manter
o suporte ao produto e resolver problemas de segurança quando
o serviço do Cloud Composer publicar uma versão que resolva os problemas.
Manter o código dos DAGs compatível com a versão do Airflow usada.
Mantenha as permissões adequadas no IAM para a conta de serviço do ambiente. Mantenha as permissões necessárias pelo
Agente do Cloud Composer e pela
conta de serviço do ambiente. Mantenha
a permissão necessária para a chave CMEK usada para criptografia do ambiente do Cloud Composer e gire-a de acordo com suas necessidades.
Mantenha as permissões adequadas no IAM para o bucket do ambiente.
Manter as permissões adequadas do IAM para uma conta de serviço que realiza instalações de pacotes PyPI. Para mais informações, consulte Controle de acesso.
Manter as permissões adequadas do usuário final na configuração de controle de acesso da IU do IAM e do Airflow.
Mantenha o tamanho do banco de dados do Airflow abaixo de 20 GB usando o DAG de manutenção.
Resolver todos os problemas de análise de DAG antes de abrir casos de suporte para o
Cloud Customer Care.
Nomear DAGs de maneira adequada (por exemplo, sem usar caracteres invisíveis
como ESPAÇO ou TAB nos nomes de DAGs) para que as métricas possam ser informadas corretamente
para DAGs.
Faça upgrade do código das DAGs para que elas não usem operadores descontinuados e
migre para as alternativas atualizadas. Os operadores descontinuados podem ser
removidos dos provedores do Airflow, o que pode afetar seus planos de upgrade
para uma versão mais recente do Cloud Composer ou do Airflow. Os operadores
descontinuados também não são mantidos e precisam ser usados "como estão".
Configurar as permissões adequadas do IAM ao usar back-ends
de segredos, como o Secret Manager, para que a conta de serviço
do ambiente tenha acesso a eles.
Ajuste de parâmetros do ambiente do Cloud Composer (como CPU e
memória para componentes do Airflow) e configurações do Airflow para atender
às expectativas de desempenho e carga dos ambientes do Cloud Composer
usando o
guia de otimização do Cloud Composer
e o guia de escalonamento de ambiente.
Evite remover as permissões necessárias pelo agente do Cloud Composer e
pelas contas de serviço do ambiente. A remoção dessas permissões pode levar
a falhas nas operações de gerenciamento ou em DAGs e tarefas.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-29 UTC."],[[["\u003cp\u003eThis document outlines the shared responsibilities between Google and customers when using Cloud Composer 3 for business-critical applications.\u003c/p\u003e\n"],["\u003cp\u003eGoogle's responsibilities include hardening and patching the Cloud Composer environment, protecting access, and providing security features like encryption and access control.\u003c/p\u003e\n"],["\u003cp\u003eCustomers are responsible for upgrading to new Cloud Composer and Airflow versions, maintaining DAG code and IAM permissions, and ensuring Airflow database health.\u003c/p\u003e\n"],["\u003cp\u003eCustomers must manage IAM permissions for service accounts and buckets, as well as for PyPI package installations, and end user access.\u003c/p\u003e\n"],["\u003cp\u003eBoth parties have a vested interest in maintaining the performance and security of Cloud Composer, with Google managing the underlying infrastructure, and the customer managing their own DAGs, code and environment settings.\u003c/p\u003e\n"]]],[],null,["\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n**Cloud Composer 3** \\| [Cloud Composer 2](/composer/docs/composer-2/shared-responsibility \"View this page for Cloud Composer 2\") \\| [Cloud Composer 1](/composer/docs/composer-1/shared-responsibility \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nRunning a business-critical application on Cloud Composer requires\nmultiple parties to carry different responsibilities. While not an exhaustive\nlist, this document lists the responsibilities for both Google and the Customer\nsides.\n\nGoogle Responsibilities\n\n- [Hardening](/container-optimized-os/docs/concepts/security) and\n [patching](/kubernetes-engine/docs/resources/security-patching) the Cloud Composer\n environment's components and underlying infrastructure, including\n Google Kubernetes Engine cluster, Cloud SQL database (that hosts the Airflow\n database), Pub/Sub, Artifact Registry and other environment\n elements. In particular, this includes auto-upgrading the underlying\n infrastructure, including the GKE cluster and\n Cloud SQL instance of an environment.\n\n | **Note:** Cloud Composer 1 is in the post-maintenance mode and new versions of Cloud Composer 1 with security fixes are no longer published. Migrate to Cloud Composer 2 to get the latest version updates with security improvements.\n- Protecting access to Cloud Composer environments through\n incorporating access control provided by IAM,\n [encrypting data at rest by default](/security/encryption-at-rest/default-encryption),\n providing [additional customer-managed storage encryption](/kubernetes-engine/docs/how-to/using-cmek),\n [encrypting data in transit](/security/encryption-in-transit).\n\n- Providing Google Cloud integrations for Identity and Access Management, Cloud Audit Logs\n and Cloud Key Management Service.\n\n- Restricting and logging Google administrative access to customers' clusters\n for contractual support purposes with\n [Access Transparency](/access-transparency) and\n [Access Approval](/cloud-provider-access-management/access-approval/docs/overview).\n\n- Publishing information about backward incompatible changes between\n Cloud Composer and Airflow versions in\n [Cloud Composer Release Notes](/composer/docs/release-notes).\n\n- Keeping Cloud Composer documentation up to date:\n\n - Providing description of all functionalities provided by\n Cloud Composer.\n\n - Providing troubleshooting instructions that help to keep environments in\n a healthy state.\n\n - Publishing information about known issues with workarounds (if they\n exist).\n\n- Resolving critical security incidents related to Cloud Composer\n environments and Airflow images provided by Cloud Composer\n (excluding customer-installed Python packages) by delivering new\n environment versions addressing the incidents.\n\n- Depending on customer's Support Plan, troubleshooting of\n Cloud Composer environment health issues.\n\n- Maintaining and expanding the functionality of the\n [Cloud Composer Terraform provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment).\n\n- Cooperating with the Apache Airflow community to maintain and develop\n [Google Airflow operators](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/operators/cloud/cloud_composer.html).\n\n | **Note:** Google won't fix or troubleshoot issues in operator providers for third-party services or products.\n- Troubleshooting and, if possible, fixing issues in Airflow core\n functionalities.\n\nCustomer responsibilities\n\n- Upgrading to new Cloud Composer and Airflow versions to keep\n support for the product and to resolve security issues once\n Cloud Composer service publishes a Cloud Composer\n version that addresses the issues.\n\n- Maintaining the DAGs code to keep it compatible with the used Airflow version.\n\n- Maintaining proper permissions in IAM for the environment's\n service account. Particularly, keeping permissions required by the\n [Cloud Composer Agent](/composer/docs/composer-3/access-control#composer-sa) and the\n [environment's service account](/composer/docs/composer-3/access-control#service-account). Maintaining\n required permission for the CMEK key used for Cloud Composer\n environment encryption and rotating it according to your needs.\n\n | **Caution:** We recommend to [set up a user-managed service account](/composer/docs/composer-3/access-control#custom-service-account) for Cloud Composer environments that has only the required set of permissions that are necessary to run the environment and perform operations defined in your DAGs. The **Composer Worker** (`composer.worker`) role provides this required set of permissions in most cases. Add extra permissions to this service account only when it's necessary for the operation of your DAGs. \n |\n | Although we recommend against using this approach, if you don't specify an environment's service account, then your Cloud Composer environment uses the default Compute Engine service account. The default Compute Engine service account usually has the **Editor** basic role, which contains many more permissions than necessary to run Cloud Composer environments and thus creates a risk of DAGs using broader permissions than intended.\n- Maintaining proper permissions in IAM for the environment's\n bucket\n\n .\n\n | **Caution:** Users with read-write access to the following components:\n | - Your environment's bucket\n | - Artifact Registry repositories with container images used by: `GKEPodOperator`, or `GKEStartPodOperator`\n |\n | can deploy their own versions of DAGs or container images to an environment\n | even without explicit Cloud Composer-related permissions.\n | These DAGs or images can be later executed in your environment\n | with the permissions of the Cloud Composer environment\n | service account.\n- Maintaining proper IAM permissions for a service account\n that performs PyPI packages installations. For more information, see\n [Access control](/composer/docs/composer-3/access-control#service-account-security).\n\n | **Caution:** Users with read-write access to the environment's bucket or those who can initiate PyPI packages installations can initate the process of building images on behalf of a service account which is used to perform such builds. This service account is called the environment's service account that is specified during the environment creation, It can be a user-provided service account, or the default service account.\n- Maintaining proper end user permissions in IAM and Airflow\n UI Access Control configuration.\n\n- Keeping Airflow database size below\n 20 GB through\n using the [maintenance DAG](/composer/docs/composer-3/cleanup-airflow-database).\n\n- Resolving all DAG parsing issues before raising support cases to\n Cloud Customer Care.\n\n- Naming DAGs in a proper way (for example, without using invisible characters\n like SPACE or TAB in DAG names) so that metrics can be reported correctly\n for DAGs.\n\n- Upgrade the code of DAGs so that it doesn't use deprecated operators and\n migrate to their up to date alternatives. Deprecated operators might be\n removed from Airflow providers, which might impact your plans to upgrade\n to a later Cloud Composer or Airflow version. The deprecated\n operators are also not maintained and they must be used 'as is'.\n\n- Configuring proper IAM permissions when using secret\n backends like Secret Manager so that the environment's\n service account has access to it.\n\n- Adjusting Cloud Composer environment parameters (such as CPU and\n memory for Airflow components) and Airflow configurations to meet\n performance and load expectations of Cloud Composer environments\n using\n [Cloud Composer optimization guide](/composer/docs/composer-3/optimize-environments)\n and [environment scaling guide](/composer/docs/composer-3/scale-environments).\n\n- Avoiding removing permissions required by Cloud Composer Agent and\n environment's service accounts (removing these permissions can lead either\n to failed management operations or to DAG and task failures).\n\n- Keeping\n [all services and APIs required by Cloud Composer](/composer/docs/composer-3/enable-composer-service#required-services)\n always enabled. These dependencies must have quotas configured at levels\n required for Cloud Composer.\n\n- [Following recommendations and best practices](/composer/docs/composer-3/write-dags) for\n implementing DAGs.\n\n- Diagnosing DAG and task failures using instructions for\n [scheduler troubleshooting](/composer/docs/composer-3/troubleshooting-scheduling),\n [DAG troubleshooting](/composer/docs/composer-3/troubleshooting-dags) and\n [triggerer troubleshooting](/composer/docs/composer-3/troubleshooting-triggerer).\n\n- Maintaining a [disaster recovery](/composer/docs/composer-3/disaster-recovery-with-snapshots) plan, including configuring and managing [snapshots](/composer/docs/composer-3/configure-scheduled-snapshots) to meet your data retention and business continuity needs. Google does not restore deleted environments or their database backups.\n\n \u003cbr /\u003e\n\nWhat's next\n\n- [Access control with IAM](/composer/docs/composer-3/access-control)\n- [Clean up the Airflow database](/composer/docs/composer-3/cleanup-airflow-database)\n- [Security overview](/composer/docs/composer-3/composer-security-overview)"]]