Access control with IAM

Cloud Composer 1 | Cloud Composer 2

This page describes the access control options available to you in Cloud Composer and explains how to assign roles.

Overview

For information about granting roles, see Manage access to projects, folders, and organizations.

You can also control permissions for the Airflow web interface beyond enabling or disabling access to it. For more information, see Airflow Role-Based Access Control.

About Identity and Access Management in Cloud Composer

Cloud Composer uses Identity and Access Management (IAM) for access control.

You control access to different Cloud Composer features by assigning roles and permissions both for IAM service accounts and for user accounts in your Google Cloud project.

Cloud Composer uses two types of IAM service accounts:

About Cloud Composer Service Agent account

In your project, Cloud Composer service uses a special Google-managed service account to manage resources that are related to Cloud Composer. This account is called Cloud Composer Service Agent.

Cloud Composer Service Agent is used for all environments in your project.

About service accounts for Cloud Composer environments

When you create an environment, you specify a service account. Your environment's cluster uses this service account to run pods with different environment components, such as Airflow workers and schedulers.

By default, Cloud Composer environments run using the default Compute Engine service account. This Google-managed service account has more permissions than it is required to run Cloud Composer environments, usually the Editor basic role.

We recommend you to set up a user-managed service account for Cloud Composer environments. Assign this account a role that is specific for Cloud Composer. Afterwards, specify this service account when creating new environments.

About roles for Cloud Composer users

To trigger an environment operation, a user must have enough permissions. For example, if you want to create a new environment, you must have the composer.environments.create permission.

For Cloud Composer, individual permissions are grouped into roles. You can assign these roles to principals.

If your service account has the Project Editor role, then you can execute all environment operations. However, this role has broad permissions. For users that work with environments, we recommend to use roles that are specific to Cloud Composer. In this way, you can narrow the scope of permissions and provide different access levels to different principals. For example, one user can have permissions to create, update, upgrade, and delete environments, while another user can only view environments and access the Airflow web interface.

Assign roles to a user-managed service account

For a user-managed service account that runs Cloud Composer environments:

  • For a public IP configuration, assign the Composer Worker (composer.worker) role.
  • For a private IP configuration:
    1. Assign the Composer Worker (composer.worker) role.
    2. Assign the Service Account User (iam.serviceAccountUser) role.

Assign roles to users

Depending on the level of access that you want to provide for Cloud Composer environments, grant the following permissions to principals.

Manage environments and environment buckets

For a user that can view, create, update, upgrade, and delete environments, manage objects (such as DAG files) in the environment buckets, and access the Airflow web interface:

  1. Assign the Environment and Storage Object Administrator (composer.environmentAndStorageObjectAdmin) role.
  2. Assign the Service Account User (iam.serviceAccountUser) role.

Manage environments

For a user that can view, create, update, upgrade, and delete environments, and access the Airflow web interface:

  1. Assign the Composer Administrator (composer.admin) role.
  2. Assign the Service Account User (iam.serviceAccountUser) role.

View environments and manage environment buckets

For a user that can view environments, access the Airflow web interface, and manage objects in the environment buckets (for example, to upload new DAG files):

  1. Assign the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role.
  2. Assign the Storage Object Admin (storage.objectAdmin) role.

View environments and environment buckets

For a user that can view environments, access the Airflow web interface, and view objects in environment buckets, assign the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role.

View environments

For a user that can view environments and access Airflow web interface, assign the Composer User (composer.user) role.

Assign permissions to use gcloud with environments

The following permissions are required to use the gcloud command-line tool with Cloud Composer environments, for example, to run Airflow CLI commands.

If you want to manage environments or environment buckets with gcloud composer commands, you also must have a role that has enough permissions to do so.

To use gcloud with Cloud Composer environments, you need the following permissions:

  • composer.environments.get
  • container.clusters.get
  • container.clusters.list
  • container.clusters.getCredentials

Roles

Role Permissions

Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Composer Administrator
(roles/composer.admin)

Provides full control of Cloud Composer resources.

Lowest-level resources where you can grant this role:

  • Project
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)

Provides full control of Cloud Composer resources and of the objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project
  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*

Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)

Role that should be assigned to Composer Agent service account in Shared VPC host project

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Composer User
(roles/composer.user)

Provides the permissions necessary to list and get Cloud Composer environments and operations.

Lowest-level resources where you can grant this role:

  • Project
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Composer Worker
(roles/composer.worker)

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

Lowest-level resources where you can grant this role:

  • Project
  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • composer.environments.get
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*

Basic roles

Role Title Description Permissions Lowest Resource
roles/owner Owner Basic role that allows full control of Cloud Composer resources. composer.environments.create
composer.environments.delete
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list
iam.serviceAccounts.actAs
Project
roles/editor Editor Basic role that allows full control of Cloud Composer resources. composer.environments.create
composer.environments.delete
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list
iam.serviceAccounts.actAs
Project
roles/viewer Viewer Basic role that allows a user to list and get Cloud Composer resources. composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
Project

Permissions

The following table lists permissions that the caller must have to call each API method in the Cloud Composer API or to perform tasks using Google Cloud tools that use the API (such as Google Cloud Console or Cloud SDK).

Method Permission
environments.create composer.environments.create, and iam.serviceAccounts.actAs on the environment's service account.
environments.delete composer.environments.delete
environments.get composer.environments.get
environments.list composer.environments.list
environments.update composer.environments.update
operations.delete composer.operations.delete
operations.get composer.operations.get
operations.list composer.operations.list

Using a service account from another project

If you want a Cloud Composer environment in one project to use a user-managed service account from a different project:

  1. Configure the user-managed service account to work across projects.
  2. As part of this process, you must grant the Service Account Token Creator role to the following Google-managed service accounts on your user-managed service account:

    1. Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com)
    2. Cloud Composer Service Agent (service-PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com)

What's next