Access control

This page describes the access control options available to you in Cloud Composer and explains how to assign roles.

Overview

Cloud Composer uses Identity and Access Management (IAM) for access control.

For a detailed description of IAM and its features, see the IAM documentation.

For information about granting roles, see Manage access to projects, folders, and organizations.

You can also control permissions for the Airflow web interface beyond providing access to it. For more information, see Airflow Role-Based Access Control.

About service accounts for Cloud Composer environments

When you create an environment, you specify a service account. This service account runs GKE nodes of your Cloud Composer environment.

By default, Cloud Composer environments run using the default Compute Engine service account. This Google-managed service account has broad permissions, usually the Editor basic role.

We recommend you to set up a user-managed service account for Cloud Composer environments. Assign this account a role that is specific for Cloud Composer. Afterwards, specify this service account when creating new environments.

About roles for Cloud Composer users

To trigger an environment operation, a user must have enough permissions. For example, if you want to create a new environment, you must have the composer.environments.create permission.

For Cloud Composer, individual permissions are grouped into roles. You can assign these roles to members of your project.

If you have has a Project Editor role, then you can execute all environment operations. However, this role has broad permissions. For users that work with environments, we recommend to use roles that are specific to Cloud Composer. In this way, you can narrow the scope of permissions and provide different access levels to members of your project. For example, one user can have permissions to create, update, upgrade, and delete environments, while another user can only view environments and access the Airflow web interface.

Assign roles to a user-managed service account

For a user-managed service account that runs Cloud Composer environments:

  • For a public IP configuration, assign the Composer Worker (composer.worker) role.
  • For a private IP configuration:
    1. Assign the Composer Worker (composer.worker) role.
    2. Assign the Service Account User (iam.serviceAccountUser) role.

Assign roles to users

Depending on the level of access that you want to provide for Cloud Composer environments, grant the following permissions to members of your project.

Manage environments and environment buckets

For a user that can view, create, update, upgrade, and delete environments, manage objects (such as DAG files) in the environment buckets, and access the Airflow web interface:

  1. Assign the Environment and Storage Object Administrator (composer.environmentAndStorageObjectAdmin) role.
  2. Assign the Service Account User (iam.serviceAccountUser) role.

Manage environments

For a user that can view, create, update, upgrade, and delete environments, and access the Airflow web interface:

  1. Assign the Composer Administrator (composer.admin) role.
  2. Assign the Service Account User (iam.serviceAccountUser) role.

View environments and manage environment buckets

For a user that can view environments, access the Airflow web interface, and manage objects in the environment buckets (for example, to upload new DAG files):

  1. Assign the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role.
  2. Assign the Storage Object Admin (storage.objectAdmin) role.

View environments and environment buckets

For a user that can view environments, access the Airflow web interface, and view objects in environment buckets, assign the Environment User and Storage Object Viewer (composer.environmentAndStorageObjectViewer) role.

View environments

For a user that can view environments and access Airflow web interface, assign the Composer User (composer.user) role.

Assign permissions to use gcloud with environments

The following permissions are required to use the gcloud command-line tool with Cloud Composer environments, for example, to run Airflow CLI commands.

If you want to manage environments or environment buckets with gcloud composer commands, you also must have a role that has enough permissions to do so.

To use gcloud with Cloud Composer environments, you need the following permissions:

  • composer.environments.get
  • container.clusters.get
  • container.clusters.list
  • container.clusters.getCredentials

Roles

Role Title Description Permissions Lowest resource
roles/composer.ServiceAgentV2Ext Cloud Composer v2 API Service Agent Extension Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
roles/composer.admin Composer Administrator Provides full control of Cloud Composer resources.
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/composer.environmentAndStorageObjectAdmin Environment and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets.
  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*
Project
roles/composer.environmentAndStorageObjectViewer Environment User and Storage Object Viewer Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list
Project
roles/composer.sharedVpcAgent Composer Shared VPC Agent Role that should be assigned to Composer Agent service account in Shared VPC host project
  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*
roles/composer.user Composer User Provides the permissions necessary to list and get Cloud Composer environments and operations.
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/composer.worker Composer Worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
  • artifactregistry.*
  • cloudbuild.*
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*
Project

Basic roles

Role Title Description Permissions Lowest Resource
roles/owner Owner Basic role that allows full control of Cloud Composer resources. composer.operations.list
composer.operations.get
composer.operations.delete
composer.environments.list
composer.environments.get
composer.environments.delete
composer.environments.update
composer.environments.create
iam.serviceAccounts.actAs
Project
roles/editor Editor Basic role that allows full control of Cloud Composer resources. composer.operations.list
composer.operations.get
composer.operations.delete
composer.environments.list
composer.environments.get
composer.environments.delete
composer.environments.update
composer.environments.create
iam.serviceAccounts.actAs
Project
roles/reader Viewer Basic role that allows a user to list and get Cloud Composer resources. composer.operations.list
composer.operations.get
composer.environments.list
composer.environments.get
Project

Permissions

The following table lists permissions that the caller must have to call each API method in the Cloud Composer API or to perform tasks using Google Cloud tools that use the API (such as Google Cloud Console or Cloud SDK).

Method Permission
environments.create composer.environments.create, and iam.serviceAccounts.actAs on the environment's service account.
environments.delete composer.environments.delete
environments.get composer.environments.get
environments.list composer.environments.list
environments.update composer.environments.update
operations.delete composer.operations.delete
operations.get composer.operations.get
operations.list composer.operations.list

What's next