Cloud Composer Access Control

  1. Overview
  2. Permissions and Roles
  3. Access Control via the GCP Console

Overview

Cloud Composer API uses Cloud Identity and Access Management (Cloud IAM) for access control.

In Cloud Composer API, access control can be configured at the project level. For example, you can grant access to all Cloud Composer API resources within a project to a group of developers.

For a detailed description of Cloud IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see its Managing Cloud IAM Policies section.

Every Cloud Composer API method requires the caller to have the necessary permissions. See Permissions and Roles for more information.

Permissions and roles

This section summarizes the Cloud Composer API permissions and roles that Cloud IAM supports.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method Required permission
environments.create composer.environments.create
environments.delete composer.environments.delete
environments.get composer.environments.get
environments.list composer.environments.list
environments.update composer.environments.update
operations.delete composer.operations.delete
operations.get composer.operations.get
operations.list composer.operations.list
Notes:

The composer.environments.get permission is required for users to access the Airflow webserver, which is protected by Cloud Identity-Aware Proxy.

Roles

The following table lists the Cloud Composer API roles in Cloud IAM with a corresponding list of all the permissions that each role includes. Note that every permission is applicable to a project-level resource type.

Role Includes permission(s) Description
Composer Administrator*
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
The Composer Administrator predefined role allows full control of Cloud Composer resources.
Composer User*
  • composer.environments.list
  • composer.environments.get
The Composer User predefined role allows a user to list and get Cloud Composer environments.
Owner
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
The Owner primitive role allows full control of Cloud Composer resources.
Editor
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
The Editor primitive role allows full control of Cloud Composer resources.
Viewer
  • composer.operations.list
  • composer.operations.get
  • composer.environments.list
  • composer.environments.get
The Viewer primitive role allows a user to list and get Cloud Composer resources.
Notes:

Access control via gcloud

To assign one of these predefined roles, execute the gcloud get-iam-policy command to get the current policy, update the policy binding with either the roles/composer.admin (Composer Administrator) role or the roles/composer.user (Composer User) role, and then execute the gcloud set-iam-policy command. See the Granting access to team members page of the Cloud IAM documentation for more information about assigning roles using gcloud.

To configure a custom role with Cloud Composer permissions, execute the gcloud iam roles create command, including the desired list of permissions from the table above. Then update the Cloud IAM policy with the newly configured custom role. See the Creating a custom role page in the Cloud IAM documentation for more information.

Send feedback about...

Cloud Composer