Functionality of controlling access to Cloud Composer’s Airflow UI and Airflow REST API (Composer 2 version) via VPC Service Controls mechanism might not work as expected.

Summary: Functionality of explicitly defining the list of users allowed to access Cloud Composer’s Airflow UI (Composer 2 version) via VPC Service Controls mechanism doesn’t work as expected. Description: We are experiencing an issue with Google Cloud Composer beginning on Friday, 2023-08-25 05:38 US/Pacific. Our engineering team continues to investigate the issue. We will provide an update by Friday, 2023-08-25 09:00 US/Pacific with current details. Diagnosis: Functionality of explicitly defining the list of users allowed to access Cloud Composer’s Airflow UI via ingress policies defined within in VPC Service Controls’s access level doesn’t work as expected (applicable to Composer version 2 users, it is not affecting Composer version 1 users). As a result of it, regardless of what is configured in the access policy, any users who meet the conditions presented below have access to Airflow UI. Important: Regardless of this issue, to have access to Airflow UI, a user: - Needs to be added in Cloud IAM in a project where Composer environment is created with proper Composer permissions as described in Composer Access Control page: https://cloud.google.com/composer/docs/composer-2/access-control - Needs to have proper Airflow RBAC role assigned (read more about Role-Based Access Control at this page: https://cloud.google.com/composer/docs/airflow-rbac) Workaround: Rely only on Cloud IAM permissions and Airflow RBAC controls (https://cloud.google.com/composer/docs/airflow-rbac) to give or decline user access to Airflow UI.