---
title: Google Cloud Composer
description: ''
slug: /help/docs/platform-services/automation-service/app-central/integrations/google-cloud-composer/
canonical: https://www.sumologic.com/help/docs/platform-services/automation-service/app-central/integrations/google-cloud-composer/
---
import useBaseUrl from '@docusaurus/useBaseUrl';
***Version: 1.2
Updated: Jun 16, 2026***
Google Cloud Composer is a fully managed workflow orchestration service built on Apache Airflow that helps you author, schedule, and monitor pipelines spanning hybrid and multi-cloud environments.
## Actions
* **Add Member to IAM Role** (*Containment*) - Adds a new member to the specified IAM role for the Cloud Composer environment.
* **Get DAG** (*Enrichment*) - Retrieves details of a specific DAG from a Cloud Composer environment.
* **Get Environment** (*Enrichment*) - Retrieves details of a specific Cloud Composer environment.
* **List DAGs** (*Enrichment*) - Lists all DAGs in a Cloud Composer environment.
* **List Environments** (*Enrichment*) - Lists all Cloud Composer environments in the specified project and region.
* **Pause DAG** (*Containment*) - Pauses a DAG in a Cloud Composer environment to stop scheduled runs.
* **Remove Member from IAM Role** (*Containment*) - Removes a member from the specified IAM role for the Cloud Composer environment.
* **Unpause DAG** (*Containment*) - Unpauses a previously paused DAG in a Cloud Composer environment to resume scheduled runs.
* **Update Project IAM Policy** (*Containment*) - Updates the IAM policy for the project associated with the Cloud Composer environment.
## Required IAM roles
The following table lists the required IAM roles for each action:
| Action | Required Role | Permission |
|:--|:--|:--|
| Add Member to IAM Role | Project IAM Admin (`roles/resourcemanager.projectIamAdmin`) | `resourcemanager.projects.setIamPolicy` |
| Get DAG | Composer User (`roles/composer.user`) | `composer.dags.get` |
| Get Environment | Composer User (`roles/composer.user`) | `composer.environments.get` |
| List DAGs | Composer User (`roles/composer.user`) | `composer.dags.list` |
| List Environments | Composer User (`roles/composer.user`) | `composer.environments.list` |
| Pause DAG | Composer Admin (`roles/composer.admin`) | `composer.dags.update` |
| Remove Member from IAM Role | Project IAM Admin (`roles/resourcemanager.projectIamAdmin`) | `resourcemanager.projects.setIamPolicy` |
| Unpause DAG | Composer Admin (`roles/composer.admin`) | `composer.dags.update` |
| Update Project IAM Policy | Project IAM Admin (`roles/resourcemanager.projectIamAdmin`) | `resourcemanager.projects.setIamPolicy` |
## Google Cloud Composer configuration
The Google Cloud Composer integration supports two types of authentication:
- **Service Account**
- **WIF (Workload Identity Federation)**
We recommend using WIF since it is more secure and easier to manage. For more information, see [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation).
## Required AWS details from Sumo Logic
To configure the Google Cloud Composer integration using WIF authentication, you need the following AWS details from Sumo Logic. These details are essential for setting up the Workload Identity Federation (WIF) credentials in Google Workspace:
* Deployment name is the unique name of your Sumo Logic [deployment](/docs/api/about-apis/getting-started/#documentation), for example, `dub`, `fra`, etc.
* Sumo Logic AWS account ID: `926226587429`
* Sumo Logic AWS role: `-csoar-automation-gcpcomposer`
* Sumo Logic AWS Lambda function: `-csoar-automation-gcpcomposer`
* Full ARN: `arn:aws:sts::926226587429:assumed-role/-csoar-automation-gcpcomposer/-csoar-automation-gcpcomposer`
### Workload Identity Federation (WIF) authentication
Follow the steps below to [create WIF credentials](https://cloud.google.com/iam/docs/workload-identity-federation) in Google Workspace, which are required to configure the Google Cloud Composer integration:
1. Log in to the [Google Cloud](https://console.cloud.google.com) portal.
2. Select a Google Cloud project (or create a new one).
3. Navigate to **API & Services**.
4. On the same page, click **ENABLED API AND SERVICES** and search for Cloud Composer API, Cloud Resource Manager API, IAM Service Account Credentials API, Identity and Access Management (IAM) API, Security Token Service API, and enable them all.
5. Navigate to **IAM & Admin** > **Service Accounts** page.
6. Click **CREATE SERVICE ACCOUNT**. A [Service Account](https://cloud.google.com/iam/docs/service-accounts-create) is required to access Google Cloud Composer.
7. While creating the service account, under **Permissions**, set the role as **Service Account Token Creator** and then click **DONE**.
8. Navigate to **IAM & Admin** > **Workload Identity Federation**.
9. Click **CREATE POOL**, provide the details, and click **CONTINUE**.
10. Add the **Provider details**. Select **AWS** as the provider type and enter the AWS Account ID provided by Sumo Logic. Click **CONTINUE** and **SAVE**.
11. Now you will see the created pool and provider.
12. Build a principal name to configure in Sumo Logic. The format of the principal name is: `principalSet://iam.googleapis.com/projects/{YourProjectID}/locations/global/workloadIdentityPools/{YourPoolName}/attribute.aws_role/arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}/{SumoAWSLambdaFunction}`.
13. Navigate to **IAM & Admin** > **IAM** and click **Grant Access** to add a new principal.
14. In the **New principals** field, provide the principal name created in step 12 and select the role as **Workload Identity User**. Click **SAVE**.
15. Go to the **IAM & Admin** > **Workload Identity Federation** and select the pool created in step 9.
16. Click **Grant Access** > **Grant access using service account impersonation**.
17. Select the service account created in the previous step. Set the principal type as `aws_role` and the ARN as `arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}` and then click **SAVE**.
18. Navigate to **Grant Access** > **Grant access using service account impersonation**. Select the service account created in step 6. Select the principal as `aws_role` and provide the ARN as `arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}/{SumoAWSLambdaFunction}`. Click **SAVE**.
19. Download the WIF `conf.json` file. Ensure you save it in a safe place. Use the JSON content to configure the Google Cloud Composer integration to use WIF authentication in Automation Service and Cloud SOAR.
### Service Account authentication
To [create service account credentials](https://developers.google.com/workspace/guides/create-credentials) in Google Workspace, needed to configure the Google Cloud Composer integration, follow these steps:
1. Log in to the [Google Cloud](https://console.cloud.google.com) portal.
2. Select a Google Cloud project (or create a new one).
3. Navigate to **API & Services** > **Credentials**.
4. On the same page, click **ENABLED API AND SERVICES** and search for Cloud Composer API, Cloud Resource Manager API, IAM Service Account Credentials API, Identity and Access Management (IAM) API, Security Token Service API, and enable them.
5. Click **CREATE CREDENTIALS** and select **Service Account**.
6. Enter a service account name to display in the Google Cloud console. The Google Cloud console generates a service account ID based on this name.
7. (Optional) Enter a description of the service account.
8. Skip two optional grant permissions steps and click **Done** to complete the service account creation.
9. Click the generated service account to open the details.
10. Under the **KEYS** tab, click **ADD KEY** and select **Create new key**.
11. Click **CREATE** (make sure **JSON** is selected).
12. The JSON file is downloaded. Ensure you save it in a safe place.
## Configure Google Cloud Composer in Automation Service and Cloud SOAR
import IntegrationsAuth from '../../../../reuse/integrations-authentication.md';
import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
*
* **Authentication Type**. Select the authentication type: **Service Account Private Key Json** or **Workload Identity Federation Private Key Json** and provide the selected type JSON content.
* **Scopes**. Default scope is `https://www.googleapis.com/auth/cloud-platform`. If not already present, add this scope.
* **Project ID**. Provide the Google Cloud Project ID where the Composer environments are located.
*
*
For more information on Google Cloud Composer, see [Google Cloud Composer documentation](https://cloud.google.com/composer/docs).
## Change Log
* June 16, 2026 (v1.2) - First upload