Access Control

This page describes the access control options available to you in Cloud Composer API.

Overview

Cloud Composer API uses Cloud Identity and Access Management (Cloud IAM) for access control.

In the Cloud Composer API, access control can be configured at the project level. For example, you can grant access to all Cloud Composer API resources within a project to a group of developers.

For a detailed description of Cloud IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see its Managing Cloud IAM Policies section.

Every Cloud Composer API method requires the caller to have the necessary permissions. See Permissions and roles for more information.

Permissions and roles

This section summarizes the Cloud Composer API permissions and roles that Cloud IAM supports.

Required permissions

The following table lists the permissions that the caller must have to call each API method in the Cloud Composer API or to perform tasks using GCP tools that use the API, such as Google Cloud Platform Console or Cloud SDK.

Method Required permission
environments.create composer.environments.create
environments.delete composer.environments.delete
environments.get composer.environments.get
environments.list composer.environments.list
environments.update composer.environments.update
operations.delete composer.operations.delete
operations.get composer.operations.get
operations.list composer.operations.list

Roles

The following table lists the Cloud Composer roles in Cloud IAM with a corresponding list of all the permissions that each predefined and primitive role includes.

Every permission is applicable to a project-level resource type.

Role Title Role Name Includes permissions Description
Composer Administrator roles/composer.admin
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
  • servicemanagement.projectSettings.get
Allows full control of Cloud Composer resources.
Composer and Storage Object Administrator roles/composer.environmentAndStorageObjectAdmin
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
  • servicemanagement.projectSettings.get
  • storage.objectAdmin
Allows full control of Cloud Composer resources and of objects in all the project buckets. Required for users who view and modify objects in the environment's Cloud Storage bucket, including DAGs and plugins.
Composer User roles/composer.user
  • composer.operations.get
  • composer.operations.list
  • composer.environments.list
  • composer.environments.get
  • servicemanagement.projectSettings.get
Allows a user to list and get Cloud Composer environments and operations.
Composer User and Storage Object Viewer roles/composer.environmentAndStorageObjectViewer
  • composer.operations.get
  • composer.operations.list
  • composer.environments.list
  • composer.environments.get
  • servicemanagement.projectSettings.get
  • storage.objectViewer
Allows a user to list and get Cloud Composer environments and operations. Provides read-only access to objects in all the project buckets. Required for users who view objects in the environment's Cloud Storage bucket, including DAGs and plugins.
Composer Worker roles/composer.worker
  • cloudbuild.builds.builder
  • container.admin
  • logging.logWriter
  • monitoring.metricWriter
  • pubsub.editor
  • storage.objectAdmin
Grants a service account the required permissions to run a Cloud Composer environment VM, including rebuilding images to update PyPi packages, managing the cluster, accessing the Cloud Storage bucket for the environment, and communicating with the control plane.
Owner roles/owner
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
Primitive role that allows full control of Cloud Composer resources.
Editor roles/writer
  • composer.operations.list
  • composer.operations.get
  • composer.operations.delete
  • composer.environments.list
  • composer.environments.get
  • composer.environments.delete
  • composer.environments.update
  • composer.environments.create
Primitive role that allows full control of Cloud Composer resources.
Viewer roles/reader
  • composer.operations.list
  • composer.operations.get
  • composer.environments.list
  • composer.environments.get
Primitive role that allows a user to list and get Cloud Composer resources.

Permissions for common tasks

Roles are a collection of permissions. This section lists the roles or permissions required for common tasks.

Task Required permissions or roles
Access the Cloud IAP-protected Airflow web interface composer.environments.get
Run Airflow CLI using the `gcloud` command-line tool
  • composer.environments.get
  • container.clusters.get
  • container.clusters.list
  • container.clusters.getCredentials
View the Environments page in the GCP Console
View Stackdriver logs and metrics
Create an environment composer.environments.create
Update and delete an environment, including setting environment variables and installing/updating Python packages
  • environments.delete
  • environments.update
Upload files to the DAGs and Plugins folders and access Airflow logs in the Logs folder storage.objectAdmin assigned at the bucket or the project level

Access control via gcloud

To assign predefined roles, execute the gcloud projects get-iam-policy command to get the current policy, update the policy binding with either the roles/composer.admin (Composer Administrator) role or the roles/composer.user (Composer User) role, and then execute the gcloud projects set-iam-policy command. See the Granting access to team members page of the Cloud IAM documentation for more information about assigning roles using gcloud.

To configure a custom role with Cloud Composer permissions, execute the gcloud iam roles create command, including the desired list of permissions from the roles table. Then, update the Cloud IAM policy with the newly configured custom role. See the Creating a custom role page in the Cloud IAM documentation for more information.

Access control via the GCP Console

You can use the GCP Console to manage access control for your environments and projects.

To set access controls at the project level:

  1. Open the IAM page in the Google Cloud Platform Console.
  2. Select your project, and click Continue.
  3. Click Add Member.
  4. Enter the email address of a new member to whom you have not granted any Cloud IAM role previously.
  5. Select the desired role from the drop-down menu.
  6. Click Add.
  7. Verify that the member is listed under the role that you granted.
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Composer