Install Python dependencies
Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1
This page describes how to install Python packages for yourCloud Composer environment.
About packages in Cloud Composer
This section explains how PyPI packages work in Cloud Composer.
Preinstalled and custom PyPI packages in Cloud Composer images
Cloud Composer images contains both preinstalled and custom PyPIpackages.
Preinstalled PyPI packages are packages that are included inthe Cloud Composer image of your environment. EachCloud Composer image containsPyPI packages that are specific for your version ofCloud Composer and Airflow.
Custom PyPI packages are packages that you can install in your environmentin addition to preinstalled packages.
Options to manage PyPI packages for Cloud Composer environments
| Option | Use if |
|---|---|
| Install from PyPI | The default way to install packages in your environment |
| Install from a repository with a public IP address | The package is hosted in a package repository other than PyPI.This repository has a public IP address |
| Install from an Artifact Registry repository | The package is hosted in an Artifact Registry repository |
| Install from a repository in your project's network | Your environment does not have access to public internet. The packageis hosted in a package repository in your project's network. |
| Install as a local Python library | The package cannot be found in PyPI, and the librarydoes not have any external dependencies, such asdist-packages. |
| Install a plugin | The package provides plugin-specific functionality, such as modifyingthe Airflow web interface. |
| PythonVirtualenvOperator | You don't want the package to be installed for all Airflow workers, orthe dependency conflicts with preinstalled packages. The packagecan be found in the PyPI and has no external dependencies. |
| KubernetesPodOperator andGKE operators | You require external dependencies that cannot be installed frompip,such asdist-packages, or are on an internal pip server. Thisoption requires more setup and maintenance. Consider it only if otheroptions don't work. |
Before you begin
You must have a role that can trigger environment updateoperations. In addition, the service account of the environment must havea role that has enough permissions to perform updateoperations.
Important: When you install PyPI packages in your environment,Airflow executes Python code from the installed package. Make sure thatyou install packages that come from sources that you can trust.Users with thecomposer.environments.updatepermission can execute Pythoncode on behalf of the environment's service account when installingpackages in your environment. For more information, seeAccess control.If your environment is protected by a VPC Service Controls perimeter,then before installing PyPI dependencies you mustgrant additional user identities with access to services thatthe service perimeter protects and enable support for a private PyPIrepository.
Requirements must follow the format specifiedinPEP-508 where each requirement is specified inlowercase and consists of the package name with optional extras and versionspecifiers.
If a dependency conflict causes the update to fail, your environmentcontinues running with its existing dependencies. If the operationsucceeds, you can begin using the newly installed Python dependencies inyour DAGs.
PythonVirtualenvOperator doesn't use the configuration from your environment's
pip.conffile. If you want to use specific dependencies, includinginstalling them from a custom index, pass requirements in therequirementsparameter as a list of strings. For more information about the format, seeRequirements File Format in the pipdocumentation.
View the list of PyPI packages
You can get the list of packages for your environment in several formats.
View preinstalled packages
To view the list of preinstalled packages for your environment, seethe list of packages for theCloud Composer image of your environment.
View all packages
To view all packages (both preinstalled and custom) in your environment:
gcloud
The following gcloud CLI command returns the result ofthepython -m pip list command for an Airflow worker in your environment.You can use the--tree argument to get the result of thepython -m pipdeptree --warn command.
gcloudbetacomposerenvironmentslist-packages\ENVIRONMENT_NAME\--locationLOCATIONReplace:
ENVIRONMENT_NAMEwith the name of the environment.LOCATIONwith the region where the environment is located.
View custom PyPI packages
Console
In Google Cloud console, go to theEnvironments page.
In the list of environments, click the name of your environment.TheEnvironment details page opens.
Go to thePyPI Packages tab.
gcloud
gcloudcomposerenvironmentsdescribeENVIRONMENT_NAME\--locationLOCATION\--format="value(config.softwareConfig.pypiPackages)"Replace:
ENVIRONMENT_NAMEwith the name of the environment.LOCATIONwith the region where the environment is located.
Install custom packages in a Cloud Composer environment
This section describes different methods for installing custom packages in yourenvironment.
Install packages from PyPI
A package can be installed fromPython Package Index if it has no externaldependencies or conflicts with preinstalled packages.
Note: You can loosen version constraints for installed custom PyPI packages.For example, instead of specifying a version as==1.0.1, specify itas>=1.0.1.To add, update, or delete the Python dependencies for your environment:
Console
In Google Cloud console, go to theEnvironments page.
In the list of environments, click the name of your environment.TheEnvironment details page opens.
Go to thePyPI packages tab.
ClickEdit
ClickAdd package.
In thePyPI packages section, specify package names, with optionalversion specifiers and extras.
For example:
scikit-learnscipy,>=0.13.3nltk,[machine_learning]
ClickSave.
gcloud
gcloud CLI has several arguments for working with custom PyPIpackages:
--update-pypi-packages-from-filereplaces all existing customPyPI packages with the specified packages. Packages that you don'tspecify are removed.--update-pypi-packageupdates or installs one package.--remove-pypi-packagesremoves specified packages.--clear-pypi-packagesremoves all packages.
Installing requirements from a file
Therequirements.txt file must have eachrequirement specifier on a separate line.
For example:
scipy>=0.13.3scikit-learnnltk[machine_learning]Update your environment, and specify therequirements.txt file inthe--update-pypi-packages-from-file argument.
gcloudcomposerenvironmentsupdateENVIRONMENT_NAME\--locationLOCATION\--update-pypi-packages-from-filerequirements.txtReplace:
ENVIRONMENT_NAMEwith the name of the environment.LOCATIONwith the region where the environment is located.
Installing one package
Update your environment, and specify the package, version, and extras inthe--update-pypi-package argument.
gcloudcomposerenvironmentsupdateENVIRONMENT_NAME\--locationLOCATION\--update-pypi-packagePACKAGE_NAMEEXTRAS_AND_VERSIONReplace:
ENVIRONMENT_NAMEwith the name of the environment.LOCATIONwith the region where the environment is located.PACKAGE_NAMEwith the name of the package.EXTRAS_AND_VERSIONwith the optional version and extras specifier. Toomit versions and extras, specify an empty value.
>. To avoid potential issues, putthe package name and version in quotes, for example:"scipy>=0.13.0".Example:
gcloudcomposerenvironmentsupdateexample-environment\--locationus-central1\--update-pypi-package"scipy>=0.13.3"Removing packages
Update your environment, and specify the packages that you want to delete in the--remove-pypi-packages argument:
gcloudcomposerenvironmentsupdateENVIRONMENT_NAME\--locationLOCATION\--remove-pypi-packagesPACKAGE_NAMESReplace:
ENVIRONMENT_NAMEwith the name of the environment.LOCATIONwith the region where the environment is located.PACKAGE_NAMESwith a comma-separated list of packages.
Example:
gcloudcomposerenvironmentsupdateexample-environment\--locationus-central1\--remove-pypi-packagesscipy,scikit-learnAPI
Construct anenvironments.patch API request.
In this request:
In the
updateMaskparameter, specify the mask:- Use
config.softwareConfig.pypiPackagesmask to replace all existingpackages with the specified packages. Packages that you don'tspecify are deleted. - Use
config.softwareConfig.envVariables.PACKAGE_NAMEto add orupdate a specific package. To add or update several packages,specify several masks with commas.
- Use
In the request body, specify packages and values for versions and extras:
{"config":{"softwareConfig":{"pypiPackages":{"PACKAGE_NAME":"EXTRAS_AND_VERSION"}}}}Replace:
PACKAGE_NAMEwith the name of the package.EXTRAS_AND_VERSIONwith the optional version and extras specifier. Toomit versions and extras, specify an empty value.- To add more than one package, add extra entries for packagesto
pypiPackages.
Example:
// PATCH https://composer.googleapis.com/v1/projects/example-project/// locations/us-central1/environments/example-environment?updateMask=// config.softwareConfig.pypiPackages.EXAMPLE_PACKAGE,// config.softwareConfig.pypiPackages.ANOTHER_PACKAGE{"config":{"softwareConfig":{"pypiPackages":{"EXAMPLE_PACKAGE":"","ANOTHER_PACKAGE":">=1.10.3"}}}}Terraform
Thepypi_packages block in thesoftware_config block specifiespackages.
resource"google_composer_environment""example"{name="ENVIRONMENT_NAME"region="LOCATION"config{software_config{pypi_packages={PACKAGE_NAME="EXTRAS_AND_VERSION"}}}}Replace:
ENVIRONMENT_NAMEwith the name of the environment.LOCATIONwith the region where the environment is located.PACKAGE_NAMEwith the name of the package.EXTRAS_AND_VERSIONwith the optional version and extras specifier. Toomit versions and extras, specify an empty value.- To add more than one package, add extra entries for packagesto
pypi_packages.
Example:
resource"google_composer_environment""example"{name="example-environment"region="us-central1"config{software_config{pypi_packages={scipy=">=1.10.3"scikit-learn=""nltk="[machine_learning]"}}}}Install packages from a public repository
You can install packages hosted in other repositories that have a public IPaddress.
The packages must beproperly configured, so that thedefaultpip tool can install it.
pip customization and doesnot resolve package dependencies and conflicts outside of the resolutionmechanisms that the defaultpip tool provides.To install from a package repository that has a public address:
Create apip.conf file and include the followinginformation in the file, if applicable:
- URL of the repository (in the
index-urlparameter) - Access credentials for the repository
- Non-default
pipinstallation options
Example:
[global]index-url=https://example.com/- URL of the repository (in the
(Optional) In some cases, you might want to fetch packages from multiplerepositories, such as when the public repository contains some specificpackages that you want to install, and you want to install all otherpackages from PyPI:
- Configure anArtifact Registry virtual repository.
- Add configuration for multiple repositories (including PyPI, if needed) and define the order in which
pipsearches the repositories. - Specify the virtual repository's URL in the
index-urlparameter.
Upload the pip.conf file to the
/config/pip/folder in your environment's bucket.Install packages usingone of the available methods.
Install packages from an Artifact Registry repository
You canstore packages in an Artifact Registry repositoryin your project, and configure your environment to install from it.
Note: If you use VPC Service Controls, then you cancreate Artifact Registry PyPI repository in VPC mode. Inthis case, follow theprocedure for private repositories when assigningpermissions.Configure roles and permissions:
Make sure that the Cloud Build service account haspermissions to read from your Artifact Registry repository.
If your environment has restricted access to other services in yourproject, for example, if you use VPC Service Controls:
Assign permissions to access your Artifact Registry repository tothe environment's service account instead of theCloud Build service account.
Make sure that connectivity to the Artifact Registry repository isconfigured in your project.
To install custom PyPI packages from an Artifact Registry repository:
Create apip.conf file and include the following information in the file, if applicable:
- URL of the Artifact Registry repository (in the
index-urlparameter) - Access credentials for the repository
- Non-default
pipinstallation options
For an Artifact Registry repository, append
/simple/to the repositoryURL:[global]index-url = https://us-central1-python.pkg.dev/example-project/example-repository/simple/- URL of the Artifact Registry repository (in the
(Optional) In some cases, you might want to fetch packages from multiplerepositories, such as when your Artifact Registry repository containssome specific packages that you want to install, and you want to installall other packages from PyPI:
- Configure anArtifact Registry virtual repository.
- Add configuration for multiple repositories (including PyPI, if needed) and define the order in which
pipsearches the repositories. - Specify the virtual repository's URL in the
index-urlparameter.
Upload this pip.conf file to the
/config/pip/folder in your environment's bucket. For example:gs://us-central1-example-bucket/config/pip/pip.conf.Install packages usingone of the available methods.
Install packages from a private repository
You can host a private repository in your project's network and configure yourenvironment to install Python packages from it.
Configure roles and permissions:
If you install custom PyPI packages from a repository in your project'snetwork, and this repository does not have a public IP address:
Assign permissions to access this repository to the environment'sservice account.
Make sure that connectivity to this repository is configured in yourproject.
To install packages from a private repository hosted in your project's network:
Create apip.conf file and include the following information in the file, if applicable:
- IP address of the repository in your project's network
- Access credentials for the repository
- Non-default
pipinstallation options
Example:
[global]index-url=https://192.0.2.10/(Optional) In some cases, you might want to fetch packages from multiplerepositories, such as when the private repository contains some specificpackages that you want to install, and you want to install all otherpackages from PyPI:
- Configure anArtifact Registry virtual repository.
- Add configuration for multiple repositories (including PyPI, if needed) and define the order in which
pipsearches the repositories. - Specify the virtual repository's URL in the
index-urlparameter.
(Optional)Youcan use a custom certificate when installing packages from your privaterepository. To do so:
Upload the certificate file to the
Caution:Don't upload private keys. Upload only a publiccertificate bundle in the PEM format. Verify that the certificatebundle contains the correct root CA./config/pip/folder in your environment's bucket.In pip.conf, specify the name of the certificate file in the
certparameter. Don't change the/etc/pip/folder.Example:
[global]cert =/etc/pip/example-certificate.pem
Upload the pip.conf file to the
/config/pip/folder in your environment's bucket. For example:gs://us-central1-example-bucket/config/pip/pip.conf.Install packages usingone of the available methods.
Install a local Python library
To install an in-house or local Python library:
Place the dependencies within a subdirectory in the
dags/folder in your environment's bucket. To import a module from asubdirectory, each subdirectory in the module's path must containan__init__.pypackage marker file.In the following example, the dependency is
coin_module.py:dags/ use_local_deps.py # A DAG file. dependencies/ __init__.py coin_module.pyImport the dependency from the DAG definition file.
For example:
fromdependenciesimportcoin_module__init__.py file is missing. Directory andfile names must be valid Python identifiers.Use packages that depend on shared object libraries
Certain PyPI packages depend on system-level libraries.While Cloud Composer does not support system libraries, you can usethe following options:
Use theKubernetesPodOperator. Set the Operator image to a custombuild image. If you experience packages that fail during installation dueto an unmet system dependency, use this option.
Upload the shared object libraries to your environment's bucket. If your PyPIpackages have installed successfully but fail at runtime, use this option.
- Manually find the shared object libraries for the PyPI dependency(an .so file).
- Upload the shared object libraries to the
/pluginsfolder in yourenvironment's bucket. - Set the following environment variable:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/airflow/gcs/plugins
plugins/ foldersare synced to the local file system. Uploading large .sofiles can affect the performance of your environment and the Airflow web server.Install packages in private IP environments
Depending on how you configure your project, your environment might not haveaccess to the public internet.
By default, your Cloud Composer 3 environmentcan access the internet wheninstalling PyPI packages. This works in all environment's networkingtypes (Private and Public IP). For example, you can install packages fromPython Package Index in a Private IP environment.
For more information, seeConfigure access to the internet when installing PyPI packages.
Private IP environment with public internet access
If your private IP environment can access public internet, then you caninstall packages using options for public IP environments:
- Install from PyPI. In this case, no special configuration is required.Follow the procedure described inInstall a package from PyPI.
- Install from a repository with a public IP address.Follow the procedure described inInstall a package from a private repository.
- Install from aprivate PyPI repository hosted in yourproject's network.
Private IP environment without internet access
If your private IP environment does not have access to public internet, thenyou can install packages using one of the following ways:
- Use aprivate PyPI repository hosted in your project'snetwork.
- Use aproxy server VM in your project's network to connectto a PyPI repository on the public internet. Specify the proxy address inthe
/config/pip/pip.conffile in your environment's bucket. - Use an Artifact Registry repository as the only sourceof packages. To do so, redefine the
index-urlparameter, as described. - If your security policy permits access to external IP addresses from yourVPC network, you can enable the installation of packages from repositorieson the public internet by configuringCloud NAT.
- Put Python dependencies into the
/dagsfolder in your environment's buckettoinstall them as local libraries. This might not be agood option if the dependency tree is large.
Install to a private IP environment under resource location restrictions
Keeping your project in line with Resource Location Restrictionrequirements prohibits the use of some tools. In particular, Cloud Buildcannot be used for package installation, preventing direct access torepositories on the public internet.
To install Python dependencies in such an environment, follow the guidance fora private IP environmentswithout internet access.
Install a Python dependency to a private IP environment in a VPC Service Controls perimeter
Protecting your project with aVPC Service Controls perimeterresults in further security restrictions. In particular, Cloud Buildcannot be used for package installation, preventing direct access torepositories on the public internet.
To install Python dependencies for a private IP environment inside a perimeter,follow the guidance for private IP environmentswithout internet access.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.