Access control with IAM

Cloud Composer 1 | Cloud Composer 2

This page describes the access control options available to you in Cloud Composer and explains how to assign roles.

Overview

For information about granting roles, see Manage access to projects, folders, and organizations.

You can also control permissions for the Airflow web interface beyond enabling or disabling access to it. For more information, see Airflow UI Access Control.

About Identity and Access Management in Cloud Composer

Cloud Composer uses Identity and Access Management (IAM) for access control.

You control access to different Cloud Composer features by assigning roles and permissions both for IAM service accounts and for user accounts in your Google Cloud project.

Cloud Composer uses two types of IAM service accounts:

About Cloud Composer Service Agent account

In your project, Cloud Composer service uses a special Google-managed service account to manage resources that are related to Cloud Composer. This account is called Cloud Composer Service Agent.

Cloud Composer Service Agent is used for all environments in your project.

About service accounts for Cloud Composer environments

When you create an environment, you specify a service account. Your environment's cluster uses this service account to run pods with different environment components, such as Airflow workers and schedulers.

By default, Cloud Composer environments run using the default Compute Engine service account. This Google-managed service account has more permissions than it is required to run Cloud Composer environments, usually the Editor basic role.

We recommend you to set up a user-managed service account for Cloud Composer environments. Assign this account a role that is specific for Cloud Composer. Afterwards, specify this service account when creating new environments.

About roles for Cloud Composer users

To trigger an environment operation, a user must have enough permissions. For example, if you want to create a new environment, you must have the composer.environments.create permission.

For Cloud Composer, individual permissions are grouped into roles. You can assign these roles to principals.

If your service account has the Project Editor role, then you can execute all environment operations. However, this role has broad permissions. For users that work with environments, we recommend to use roles that are specific to Cloud Composer. In this way, you can narrow the scope of permissions and provide different access levels to different principals. For example, one user can have permissions to create, update, upgrade, and delete environments, while another user can only view environments and access the Airflow web interface.

Assign roles to Cloud Composer Service Agent account

When you enable Cloud Composer API in your project, the Composer Service Agent account is created in your project. Cloud Composer uses this account to perform operations in your Google Cloud project.

By default, the Composer Service Agent account has the Cloud Composer API Service Agent role.

Assign roles to a user-managed service account

For a user-managed service account that runs Cloud Composer environments:

  • For a public IP configuration, assign the Composer Worker (composer.worker) role.
  • For a private IP configuration:
    1. Assign the Composer Worker (composer.worker) role.
    2. Assign the Service Account User (iam.serviceAccountUser) role.

Assign roles to users

Depending on the level of access that you want to provide for Cloud Composer environments, grant the following permissions to principals.

Manage environments and environment buckets

For a user that can view, create, update, upgrade, and delete environments, manage objects (such as DAG files) in the environment buckets, access the Airflow web interface, view and trigger DAGs from the DAG UI:

  1. Assign the Environment and Storage Object Administrator (composer.environmentAndStorageObjectAdmin) role.
  2. Assign the Service Account User (iam.serviceAccountUser) role.

    To narrow down permissions for a user, grant this role only on the service account of your environment. For more information, see Grant or revoke a single role.

Manage environments

For a user that can view, create, update, upgrade, and delete environments, access the Airflow web interface, view and trigger DAGs from the DAG UI:

  1. Assign the Composer Administrator (composer.admin) role.
  2. Assign the Service Account User (iam.serviceAccountUser) role.

    To narrow down permissions for a user, grant this role only on the service account of your environment. For more information, see Grant or revoke a single role.

View environments and manage environment buckets

For a user that can view environments, access the Airflow web interface, view and trigger DAGs from the DAG UI, and manage objects in the environment buckets (for example, to upload new DAG files):

  1. Assign the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role.
  2. Assign the Storage Object Admin (storage.objectAdmin) role.

View environments and environment buckets

For a user that can view environments, access the Airflow web interface, view and trigger DAGs from the DAG UI, and view objects in environment buckets, assign the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role.

View environments

For a user that can view environments, view and trigger DAGs from the DAG UI and access the Airflow web interface, assign the Composer User (composer.user) role.

Assign permissions to use gcloud with environments

To use gcloud with Cloud Composer environments, you need the following permissions:

  • composer.environments.get
  • container.clusters.get
  • container.clusters.list
  • container.clusters.getCredentials

If you want to manage environments or environment buckets with gcloud composer commands, you also must have a role that has enough permissions to do so.

If you want to run Airflow CLI commands, you need the following, additional permissions:

  • container.namespaces.list
  • container.pods.exec
  • container.pods.get
  • container.pods.list

Roles

Role Permissions

Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Composer Administrator
(roles/composer.admin)

Provides full control of Cloud Composer resources.

Lowest-level resources where you can grant this role:

  • Project
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)

Provides full control of Cloud Composer resources and of the objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project
  • composer.*
  • orgpolicy.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.multipartUploads.*
  • storage.objects.*

Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project
  • composer.dags.*
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.list
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)

Role that should be assigned to Composer Agent service account in Shared VPC host project

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Composer User
(roles/composer.user)

Provides the permissions necessary to list and get Cloud Composer environments and operations.

Lowest-level resources where you can grant this role:

  • Project
  • composer.dags.*
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.list
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Composer Worker
(roles/composer.worker)

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

Lowest-level resources where you can grant this role:

  • Project
  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • composer.environments.get
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • logging.logEntries.list
  • logging.privateLogEntries.list
  • logging.views.access
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • orgpolicy.policy.get
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.multipartUploads.*
  • storage.objects.*

Roles for service agents

roles/composer.serviceAgent Cloud Composer API Service Agent

Cloud Composer API service agent can manage environments.

  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.memcache.addKey
  • appengine.memcache.flush
  • appengine.memcache.get
  • appengine.memcache.update
  • appengine.operations.*
  • appengine.runtimes.actAsAdmin
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • artifactregistry.repositories.create
  • artifactregistry.repositories.delete
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.update
  • cloudnotifications.activities.list
  • cloudsql.*
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.use
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • container.*
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.locations.*
  • logging.logEntries.create
  • logging.logMetrics.*
  • logging.logServiceIndexes.list
  • logging.logServices.list
  • logging.logs.list
  • logging.notificationRules.*
  • logging.operations.*
  • logging.sinks.*
  • logging.views.create
  • logging.views.delete
  • logging.views.get
  • logging.views.list
  • logging.views.update
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • opsconfigmonitoring.resourceMetadata.list
  • orgpolicy.policy.get
  • pubsub.*
  • recommender.cloudsqlIdleInstanceRecommendations.*
  • recommender.cloudsqlInstanceActivityInsights.*
  • recommender.cloudsqlInstanceCpuUsageInsights.*
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.*
  • recommender.cloudsqlInstanceMemoryUsageInsights.*
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.*
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.createPeeredDnsDomain
  • servicenetworking.services.deletePeeredDnsDomain
  • servicenetworking.services.get
  • servicenetworking.services.listPeeredDnsDomains
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*
  • trafficdirector.*

Basic roles

Role Title Description Permissions Lowest Resource
roles/owner Owner Basic role that allows full control of Cloud Composer resources. composer.environments.create
composer.environments.delete
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list
composer.dags.list
composer.dags.get
composer.dags.execute
iam.serviceAccounts.actAs
Project
roles/editor Editor Basic role that allows full control of Cloud Composer resources. composer.environments.create
composer.environments.delete
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list
composer.dags.list
composer.dags.get
composer.dags.execute
iam.serviceAccounts.actAs
Project
roles/viewer Viewer Basic role that allows a user to list and get Cloud Composer resources. composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.dags.list
composer.dags.get
Project

Permissions for API methods

The following table lists permissions that the caller must have to call each API method in the Cloud Composer API or to perform tasks using Google Cloud tools that use the API (such as Google Cloud console or Google Cloud CLI).

Method Permission
environments.create composer.environments.create, and iam.serviceAccounts.actAs on the environment's service account.
environments.delete composer.environments.delete
environments.get composer.environments.get
environments.list composer.environments.list
environments.update composer.environments.update
operations.delete composer.operations.delete
operations.get composer.operations.get
operations.list composer.operations.list

Permissions for working with DAGs from Google Cloud console

The following permissions cover working with DAGs from Google Cloud console, through the DAG UI:

Permission Description
composer.dags.list View the list of DAGs on the Environment details page.
composer.dags.get Get detailed information about DAGs, DAG runs, and tasks on the DAG details page.
composer.dags.execute Trigger DAGs from the DAG details page.

You can use Airflow UI Access Control to further control DAG permissions for user accounts. DAG UI requires both IAM and Airflow UI Access Control permissions to allow a specific action on a DAG. At the same time, Airflow UI validates user access only against Airflow UI Access Control permissions, skipping IAM permissions.

For example, if a user has the composer.dags.execute permission and the Viewer Airflow role, then this user cannot trigger DAGs from Google Cloud console. As an opposite example, if a user does not have the composer.dags.list permission, this user can still view the list of DAGs in the Airflow UI.

Using a service account from another project

If you want a Cloud Composer environment in one project to use a user-managed service account from a different project, you must configure the user-managed service account to work across projects.

Replace SERVICE_PROJECT_NUMBER with the project number of a project where your Cloud Composer is located.

  1. Edit the allow policy of the project where your user-managed service account is located:

    1. Grant the Service Account Token Creator role to the Compute Engine default service account of the project where your environment is located (SERVICE_PROJECT_NUMBER-compute@developer.gserviceaccount.com).

    2. Grant the Service Account Token Creator role to the Cloud Composer Service Agent of the project where your environment is located (service-SERVICE_PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com).

  2. Edit the allow policy of the project where your environment is located. Grant the required roles to your user-managed service account, as described in Assign roles to a user-managed service account. For example, in a Public IP configuration, your user-managed service account requires the Composer Worker role.

What's next