OnSeptember 15, 2026, all Cloud Composer 1 versions and versions 2.0.x of Cloud Composer 2 willreach their planned end of life. You will not be able to use environments with these versions. We recommend planning migration to Cloud Composer 3. Cloud Composer 2 versions 2.1.x and later are still supported and are not impacted by this change.

Access resources in another project

Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1

This page describes how to access resources that are located in a differentGoogle Cloud project than your Cloud Composer environment.

If you want to use a service account from one project to run environments inanother project, seeUsing a service account from another project.

If you want to use Airflow operators to interact with Cloud Composerenvironments, including environments in other projects, seeTrigger DAGs in other environments and projects.

We recommend to access resources in other Google Cloud projects in thefollowing way:

In your DAGs, use the default connections that are preconfigured in yourenvironment.
For example, thegoogle_cloud_default connection is used by manyGoogle Cloud operators and is automatically configured when youcreate an environment.
Grant extra IAM permissions and roles to theservice account of your environment, so that it canaccess resources in a different project.

Determine the service account of your environment

To determine the service account of your environment:

Console

In Google Cloud console, go to theEnvironments page.
Go to Environments
In the list of environments, click the name of your environment.TheEnvironment details page opens.
Go to theEnvironment configuration tab.
The service account of your environment is listed intheService account field.
The value is an email address, such asservice-account-name@example-project.iam.gserviceaccount.com.

gcloud

gcloudcomposerenvironmentsdescribeENVIRONMENT_NAME\--locationLOCATION\--format="get(config.nodeConfig.serviceAccount)"

The value is an email address, such asservice-account-name@example-project.iam.gserviceaccount.com.

Grant IAM roles and permissions to access resources in another project

The service account of your environment requires permissions to accessresources in another project. These roles and permissions can be differentbased on the resource that you want to access.

Access a specific resource

We recommend to grant roles and permissions for specific resources, such as asingle Cloud Storage bucket located in a different project. In thisapproach, you use resource-based access with conditional role bindings.

To access a specific resource:

Follow theConfigure resource-based access guide.
When granting roles and permissions, specify theservice account of your environment as aprincipal.

Access a resource type

As an alternative, you can grant roles and permissions based on the resourcetype, such as all Cloud Storage buckets located in a differentproject.

To access a resource type:

Follow theManage access to other resources guide.
When granting roles and permissions, specify theservice account of your environment as aprincipal.

After you grant the required permissions and roles, you can access resources ina different project with the same default Airflow connectionsthat you use to access resources in the project where your environment islocated.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Access resources in another project Stay organized with collections Save and categorize content based on your preferences.