composer/WARN/2022_001

Composer Service Agent permissions for Composer 2.x

Product: Cloud Composer
Rule class: WARN - Something that is possibly wrong

Description

Cloud Composer 2 uses Workload Identity and requires additional permissions in order to successfully create an environment. Those permissions are provided by composer.ServiceAgentV2Ext role and must be granted manually.

Remediation

Ensure that you’ve the following binding in the IAM policy for the project:

Principal: service-PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com
Role: roles/composer.ServiceAgentV2Ext

Further information

Grant required permissions to Cloud Composer service account