AI Platform Notebooks has a specific set of Identity and Access Management (IAM) roles. Each predefined role contains a set of permissions.
When you add a new member to a project, you can use an IAM policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to specific resources.
AI Platform Notebooks IAM permissions are used to manage Notebook instances (create, delete, modify AI Platform Notebooks instances via Notebooks API). For configuring JupyterLab access please refer to this document.
What is IAM?
Google Cloud offers IAM, which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who has what
permission to which resources by setting IAM policies.
IAM policies grant specific role(s) to a project member,
giving the identity specific permissions. For example, for a specific resource,
such as a project, you can assign the
roles/notebooks.viewer role to
a user to allow that user to view notebooks within that project.
To learn more, read the IAM documentation.
Predefined AI Platform Notebooks IAM roles
With IAM, every API method in AI Platform Notebooks requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a member (user, group, or service account) of your project.
The following table describes the predefined AI Platform Notebooks
as well as the permissions contained within each role. Each role contains a set
of permissions that is suitable for a specific task. For example,
the Notebooks Viewer (
roles/notebooks.viewer) role grants read-only access
to the specified resource.
||Notebooks Admin||Full access to AI Platform Notebooks, all resources.||
||Notebooks Legacy Admin||Full access to Notebooks all resources through compute API.||
||Notebooks Legacy Viewer||Read-only access to Notebooks all resources through compute API.||
||Notebooks Runner||Restricted access for running scheduled Notebooks.||
||Notebooks Viewer||Read-only access to AI Platform Notebooks, all resources.||
- Learn more about IAM.
- Grant AI Platform Notebooks IAM roles to members of your projects.
- Learn how to create and manage custom IAM roles.