GCP Project Id — the GCP project that owns the Composer environment.
GCP Location — the region of the Composer environment (e.g., us-central1).
Composer Environment Name — the name of the Cloud Composer environment.
Airflow Web Server Url — the base URL of the Airflow web server (auto-populated for Composer 2; required for Composer 1).
Google IAP Client Id(Composer 2 only) — OAuth2 client ID of the Identity-Aware Proxy protecting the Airflow web server. Leave blank for Composer 1 or non-IAP setups.
Authentication methods
Service Account Key — Google Service Account Key (JSON, base64 or raw). Long-lived; rotate manually. Treat the JSON as a secret.
Application Default Credentials — resolves via the host environment's ADC chain. Convenient on GCP-hosted Polysync.
Workload Identity Federation ⭐ (recommended) — Google Workload Identity Provider, Google Service Account Email. Federates Polysync's Azure / AWS / OIDC identity into GCP, eliminating JSON keys.
Impersonated Service Account — Google Source Service Account Key (optional), Google Service Account Email. Useful for least-privilege delegation chains.
Permissions checklist
The chosen identity must have Composer User (roles/composer.user) on the Composer environment plus IAP-secured Web App User on the IAP resource (Composer 2).
For Workload Identity Federation, configure a Workload Identity Pool and Provider that trusts the Polysync host identity.