Unable to create Composer environment [GCP]

Question

I am trying to create basic Composer environment:

• image version: 1.17.8/2.1.4
• using service account with composer.worker permission
• my own user has project.owner permission
• public ip

All my attempts failed with following error:

Http error status code: 400
Http error message: BAD REQUEST
Errors in: [Web server]; Error messages:
The caller does not have permission
    Required 'deploymentmanager.typeProviders.create' permission for 'projects/<my-project>/global/typeProviders/europe-west2-<name-id>-addons-gke-typer'

deploymentmanager.typeProviders.create is covered by Deployment Manager Type Editor, so I added this permission to both my account and service account, but the error remains the same. Cloud Composer Service Agent account is present in the project without any modifications to its permissions.

Is there anything else I can check or something that I missed during the set up?

Answer 1

For an account (whether User Account or Service Account) to be able to create a Composer Environment, the account must have a composer.environments.create permission.

And according to Google Cloud's documentation on Cloud Composer Access Control,

The Composer Worker role provides the permissions necessary to run a Cloud Composer environment VM and intended for service accounts.

The Composer Worker role is not intended for creation of environments thus, it does not have the composer.environments.create permission.

If you want your service account to be able to create a Composer environment, you will need to assign the role Composer Administrator and this has the composer.environments.create permission needed.

You may refer to Access Control for Cloud Composer for the complete list of permission for Composer Worker, Composer Administrator and other Composer related roles.