composer/ERR/2022_001

Product: Cloud Composer
Rule class: ERR - Something that is very likely to be wrong

Description

Cloud Composer uses a Google-managed service account, which is called Cloud Composer Service Agent, to provision resources in the project.

composer.serviceAgent role is automatically assigned to this account during Composer API activation and shouldn’t be revoked.

Remediation

Ensure that you’ve the following binding in the IAM policy for the project:

• Principal: service-PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com
• Role: roles/composer.serviceAgent

Further information

• About Cloud Composer Service Agent account