Starting April 13, 2025, we are removing the default environment's service account setting
Share
Services
## Announcement
Starting April 13, 2025, we are **removing the default environment's service account setting**. This change enhances security and provides greater control over your Cloud Composer environments.
* Previously, the default Compute Engine service account was used by default when a user didn't specify a service account during Cloud Composer creation.
* After the change, you'll need to explicitly specify a service account when you create a new Cloud Composer environment.
* Existing Cloud Composer environments will not be affected by this change.
To address this change:
* We recommend to **create one or more user-managed service accounts** for Cloud Composer environments in your project and grant them the minimum of required permissions. For more information and instructions, see [Grant roles to an environment's service account](https://cloud.google.com/composer/docs/composer-3/access-control#service-account).
* If you use **Terraform, scripts or other automation and configuration management tools**, then make sure to update them, so that an environment's service account [is specified when you create an environment](https://cloud.google.com/composer/docs/composer-2/create-environments#basic-setup).
## Announcement
In April 2025, Cloud Composer 2 environments will always **use the environment's service account for performing PyPI packages installations**:
* The environment's service account will be used instead.
* Existing Cloud Composer 2 environments that previously used the default Cloud Build service account will change to using the environment's service account instead.
* Cloud Composer 2 environments created in versions 2.10.2 and later already have this change.
* Cloud Composer 3 environments already use the environment's service account, and are not impacted by this change.