This page describes the access control options available to you in Cloud Composer API.
Cloud Composer API uses Cloud Identity and Access Management (Cloud IAM) for access control.
In the Cloud Composer API, access control can be configured at the project level. For example, you can grant access to all Cloud Composer API resources within a project to a group of developers.
For a detailed description of Cloud IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see its Managing Cloud IAM Policies section.
Every Cloud Composer API method requires the caller to have the necessary permissions. See Permissions and roles for more information.
The following table lists the permissions that the caller must have to call each API method in the Cloud Composer API or to perform tasks using GCP tools that use the API, such as Google Cloud Platform Console or Cloud SDK.
Cloud Composer Roles
||Owner||Primitive role that allows full control of Cloud Composer resources.||
||Editor||Primitive role that allows full control of Cloud Composer resources.||
||Viewer||Primitive role that allows a user to list and get Cloud Composer resources.||
Permissions for common tasks
Roles are a collection of permissions. This section lists the roles or permissions required for common tasks.
|Task||Permissions and/or roles|
|Access the Cloud IAP-protected Airflow web interface||composer.environments.get|
|Run Airflow CLI using the `gcloud` command-line tool||
|View the Environments page in the GCP Console||
|View Stackdriver logs and metrics||
|Create an environment||composer.environments.create|
|Update and delete an environment, including setting environment variables and installing/updating Python packages||
|Upload files to the DAGs and Plugins folders and access Airflow logs in the Logs folder||storage.objectAdmin assigned at the bucket or
the project level
composer.environments.get to look up the DAG destination bucket
Access control via
To assign predefined roles, execute the
gcloud projects get-iam-policy
command to get the current policy, update the policy binding with either the
roles/composer.admin (Composer Administrator) role or the
roles/composer.user (Composer User) role, and then execute
gcloud projects set-iam-policy
command. See the Granting, Changing, and Revoking Access to Resources
page of the Cloud IAM documentation for more information about assigning roles
To configure a custom role with Cloud Composer permissions, execute the
gcloud iam roles create command,
including the desired list of permissions from the roles table.
Then, update the Cloud IAM policy with the newly configured custom
role. See the Creating a custom role
page in the Cloud IAM documentation for more information.
Access control via the GCP Console
You can use the GCP Console to manage access control for your environments and projects.
To set access controls at the project level:
- Open the IAM page in the Google Cloud Platform Console.
- Select your project, and click Continue.
- Click Add Member.
- Enter the email address of a new member to whom you have not granted any Cloud IAM role previously.
- Select the desired role from the drop-down menu.
- Click Add.
- Verify that the member is listed under the role that you granted.