On September 15, 2026, all Cloud Composer 1 versions and versions 2.0.x of Cloud Composer 2 will reach their planned end of life. You will not be able to use environments with these versions. We recommend planning migration to Cloud Composer 3. Cloud Composer 2 versions 2.1.x and later are still supported and are not impacted by this change.
This page shows how to configure
resource location restrictions
so that your data stored by Cloud Composer is kept within
the locations you specify.
How location restrictions work
Location restrictions for Cloud Composer are determined based
on the organizational policy that is applied to the project where
the Cloud Composer environment is created. This policy is assigned
either within the project or is inherited from the organization.
With location restrictions enabled, it is not possible to create
an environment in a region that is prohibited by the policy. If a region
is listed in the Deny list, or is not listed in the Allow list, then you
cannot create environments in this region.
To enable the creation of environments, the policy must allow the whole region
and not a specific zone within this region. For example, the europe-west3
region must be allowed by the policy in order to create
Cloud Composer environments in this region.
Cloud Composer checks location restrictions at:
Environment creation.
Environment upgrade, if any additional resources are created during the
operation.
Environment update, for older environments that do not enforce location
restrictions on Cloud Composer dependencies.
In addition to checking the location restrictions, Cloud Composer
does the following:
Stores user-customized Airflow images in regional Artifact Registry
repositories. As an example, such images are created when you install
custom PyPI images in your environment.
If the US multi-region is explicitly prohibited by the
policy, Cloud Build use is disabled. In this case, user-customized
Airflow images are built in your environment's cluster.
Install a Python dependency to a private IP environment with resource location restrictions
If you set resource location restrictions for your project, then
Cloud Build can't be used to install Python packages. As a consequence,
direct access to repositories on the public internet is disabled.
To install Python dependencies in a Private IP environment when your
location restrictions don't allow the US multi-region, use
one of the following options:
Use a
proxy server
in your VPC network to connect to a PyPI repository on the public
internet. Specify the proxy address in the /config/pip/pip.conf file in
the Cloud Storage bucket.
If your security policy permits access to your VPC network from external
IP addresses, you can configure Cloud NAT.
Store the Python dependencies in the dags folder in
the Cloud Storage bucket, to
install them as local libraries.
This might not be a good option if the dependency tree is large.
Restrict locations for Cloud Composer logs
If your Cloud Composer logs contain sensitive data, you might want
to redirect Cloud Composer logs to a regional
Cloud Storage bucket. To do so, use
a log sink. After you redirect logs to
a Cloud Storage bucket, your logs are not sent to Cloud Logging.
LOCATION with the region where the environment is located.
BUCKET_NAME with the name of the bucket. For example,
composer-logs-us-central1-example-environment.
Create a new log sink.
gcloudloggingsinkscreate\
composer-log-sink-ENVIRONMENT_NAME\
storage.googleapis.com/BUCKET_NAME\
--log-filter"resource.type=cloud_composer_environment AND \resource.labels.environment_name=ENVIRONMENT_NAME AND \resource.labels.location=LOCATION"
Replace:
ENVIRONMENT_NAME with the name of the environment.
BUCKET_NAME with the name of the bucket.
LOCATION with the region where the environment is located.
The output of the previous command contains the service
account number. Grant the Storage Object Creator role to this
service account:
SA_NUMBER with the service account number provided by
the gcloud logging sinks create command on the previous step.
Exclude the logs for your environment from Logging.
gcloudloggingsinksupdate_Default\
--add-exclusionname=ENVIRONMENT_NAME-exclusion,filter=\"resource.type=cloud_composer_environment AND \resource.labels.environment_name=ENVIRONMENT_NAME AND \resource.labels.location=LOCATION"
Replace:
ENVIRONMENT_NAME with the name of the environment.
LOCATION with the region where the environment is located.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis document details how to configure resource location restrictions for Cloud Composer environments, ensuring data remains within specified locations, which is determined by the organizational policy applied to the project.\u003c/p\u003e\n"],["\u003cp\u003eWith location restrictions, environments cannot be created in denied regions, and the policy must allow the entire region, not just a specific zone, for environment creation within it to be possible.\u003c/p\u003e\n"],["\u003cp\u003eWhen using Private IP environments and resource location restrictions disallow the \u003ccode\u003eUS\u003c/code\u003e multi-region, users must utilize a private PyPI repository, a proxy server, Cloud NAT, or local library installation from the \u003ccode\u003edags\u003c/code\u003e folder to install Python dependencies.\u003c/p\u003e\n"],["\u003cp\u003eTo redirect Cloud Composer logs containing sensitive data to a regional Cloud Storage bucket, users can employ a log sink, after which logs will no longer be sent to Cloud Logging, and certain steps are outlined to make this possible.\u003c/p\u003e\n"],["\u003cp\u003eThe location restrictions are checked at the time of environment creation, environment upgrade if it causes additional resource creation, and environment update for older environments.\u003c/p\u003e\n"]]],[],null,["# Configure resource location restrictions\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n**Cloud Composer 3** \\| [Cloud Composer 2](/composer/docs/composer-2/configure-resource-location-restrictions \"View this page for Cloud Composer 2\") \\| [Cloud Composer 1](/composer/docs/composer-1/configure-resource-location-restrictions \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page shows how to configure\n[resource location restrictions](/resource-manager/docs/organization-policy/defining-locations)\nso that your data stored by Cloud Composer is kept within\nthe locations you specify.\n\nHow location restrictions work\n------------------------------\n\nLocation restrictions for Cloud Composer are determined based\non the organizational policy that is applied to the project where\nthe Cloud Composer environment is created. This policy is assigned\neither within the project or is inherited from the organization.\n\nWith location restrictions enabled, it is not possible to create\nan environment in a region that is prohibited by the policy. If a region\nis listed in the Deny list, or is not listed in the Allow list, then you\ncannot create environments in this region.\n\nTo enable the creation of environments, the policy must allow the whole region\nand not a specific zone within this region. For example, the `europe-west3`\nregion must be allowed by the policy in order to create\nCloud Composer environments in this region.\n\nCloud Composer checks location restrictions at:\n\n- Environment creation.\n- Environment upgrade, if any additional resources are created during the operation.\n- Environment update, for older environments that do not enforce location restrictions on Cloud Composer dependencies.\n\nIn addition to checking the location restrictions, Cloud Composer\ndoes the following:\n\n- Stores user-customized Airflow images in regional Artifact Registry repositories. As an example, such images are created when you install custom PyPI images in your environment.\n- If the [`US` multi-region](/storage/docs/locations#location-mr) is explicitly prohibited by the policy, Cloud Build use is disabled. In this case, user-customized Airflow images are built in your environment's cluster.\n\nInstall a Python dependency to a private IP environment with resource location restrictions\n-------------------------------------------------------------------------------------------\n\nIf you set resource location restrictions for your project, then\nCloud Build can't be used to install Python packages. As a consequence,\ndirect access to repositories on the public internet is disabled.\n\nTo install Python dependencies in a Private IP environment when your\nlocation restrictions don't allow the [`US` multi-region](/storage/docs/locations#location-mr), use\none of the following options:\n\n- Use a private\n [PyPI repository hosted in your VPC network](/composer/docs/composer-3/install-python-dependencies#install-private-repo).\n\n- Use a\n [proxy server](https://pip.pypa.io/en/stable/user_guide/#using-a-proxy-server)\n in your VPC network to connect to a PyPI repository on the public\n internet. Specify the proxy address in the `/config/pip/pip.conf` file in\n the Cloud Storage bucket.\n\n- If your security policy permits access to your VPC network from external\n IP addresses, you can configure [Cloud NAT](/nat/docs/overview).\n\n- Store the Python dependencies in the `dags` folder in\n the Cloud Storage bucket, to\n [install them as local libraries](/composer/docs/composer-3/install-python-dependencies#install-local).\n This might not be a good option if the dependency tree is large.\n\nRestrict locations for Cloud Composer logs\n------------------------------------------\n\nIf your Cloud Composer logs contain sensitive data, you might want\nto redirect Cloud Composer logs to a regional\nCloud Storage bucket. To do so, use\na [log sink](/logging/docs/export/configure_export_v2). After you redirect logs to\na Cloud Storage bucket, your logs are not sent to Cloud Logging.\n**Caution:** To get support from Cloud Customer Care, you might need to grant Google support engineers access to the Cloud Composer logs stored in Cloud Storage. \n\n### gcloud\n\n1. Create a new Cloud Storage bucket.\n\n gcloud storage buckets create gs://\u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e --location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\n\n Replace:\n - `LOCATION` with the region where the environment is located.\n - `BUCKET_NAME` with the name of the bucket. For example, `composer-logs-us-central1-example-environment`.\n2. Create a new log sink.\n\n gcloud logging sinks create \\\n composer-log-sink-\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n storage.googleapis.com/\u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e \\\n --log-filter \"resource.type=cloud_composer_environment AND \\\n resource.labels.environment_name=\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e AND \\\n resource.labels.location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n Replace:\n - `ENVIRONMENT_NAME` with the name of the environment.\n - `BUCKET_NAME` with the name of the bucket.\n - `LOCATION` with the region where the environment is located.\n3. The output of the previous command contains the service\n account number. Grant the **Storage Object Creator** role to this\n service account:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:\u003cvar translate=\"no\"\u003eSA_NUMBER\u003c/var\u003e@gcp-sa-logging.iam.gserviceaccount.com\" \\\n --role='roles/storage.objectCreator' \\\n --condition=None\n\n Replace:\n - `PROJECT_ID` with the [Project ID](/resource-manager/docs/creating-managing-projects).\n - `SA_NUMBER` with the service account number provided by the `gcloud logging sinks create` command on the previous step.\n4. Exclude the logs for your environment from Logging.\n\n **Caution:** [Audit logs](/logging/docs/audit) cannot be excluded. They are always sent to the default storage. \n\n gcloud logging sinks update _Default \\\n --add-exclusion name=\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e-exclusion,filter=\\\n \"resource.type=cloud_composer_environment AND \\\n resource.labels.environment_name=\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e AND \\\n resource.labels.location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n Replace:\n - `ENVIRONMENT_NAME` with the name of the environment.\n - `LOCATION` with the region where the environment is located.\n\nWhat's next\n-----------\n\n- [Cloud Composer security overview](/composer/docs/composer-3/composer-security-overview)\n- [Access control](/composer/docs/composer-3/access-control)"]]
