Cloud Composer 1 | Cloud Composer 2 | Cloud Composer 3
This page describes how to access resources that are located in a different Google Cloud project than your Cloud Composer environment.
We recommend to access resources in other Google Cloud projects in the following way:
In your DAGs, use the default connections that are preconfigured in your environment.
For example, the
google_cloud_default
connection is used by many Google Cloud operators and is automatically configured when you create an environment.Grant extra IAM permissions and roles to the service account of your environment, so that it can access resources in a different project.
Determine the service account of your environment
To determine the service account of your environment:
Console
In Google Cloud console, go to the Environments page.
In the list of environments, click the name of your environment. The Environment details page opens.
Go to the Environment configuration tab.
The service account of your environment is listed in the Service account field.
The value is an email address, such as
service-account-name@example-project.iam.gserviceaccount.com
.
gcloud
gcloud composer environments describe ENVIRONMENT_NAME \
--location LOCATION \
--format="get(config.nodeConfig.serviceAccount)"
The value is an email address, such as
service-account-name@example-project.iam.gserviceaccount.com
.
Grant IAM roles and permissions to access resources in another project
The service account of your environment requires permissions to access resources in another project. These roles and permissions can be different based on the resource that you want to access.
Access a specific resource
We recommend to grant roles and permissions for specific resources, such as a single Cloud Storage bucket located in a different project. In this approach, you use resource-based access with conditional role bindings.
To access a specific resource:
- Follow the Configure resource-based access guide.
- When granting roles and permissions, specify the service account of your environment as a principal.
Access a resource type
As an alternative, you can grant roles and permissions based on the resource type, such as all Cloud Storage buckets located in a different project.
To access a resource type:
- Follow the Manage access to other resources guide.
- When granting roles and permissions, specify the service account of your environment as a principal.
After you grant the required permissions and roles, you can access resources in a different project with the same default Airflow connections that you use to access resources in the project where your environment is located.