composer/ERR/2022_002
Composer Environment Service Account permissions
Product: Cloud Composer
Rule class: ERR - Something that is very likely to be wrong
Description
The service account used by a Cloud Composer environment is required to have
composer.worker role. In addition to that, in Private IP environments
temporary GKE node pools can be created and the environment’s service account
needs to impersonate to itself.
Remediation
Ensure that you’ve the following binding in the IAM policy for the project:
- Principal: service account of a Composer environment
- Role:
roles/composer.worker
Private IP environments additionally require the following binding in the IAM policy for the environment’s service account or for the whole project:
- Principal: service account of a Composer environment
- Role:
roles/iam.serviceAccountUser