Manage access using IAM roles

This page describes how to grant and revoke access to AI Platform Notebooks resources. This page focuses on AI Platform Notebooks roles only. For information on how to grant and revoke access to resources using other roles, see Granting, changing, and revoking access to resources.

Before you begin

Granting access

To grant roles to a member (user, group, or service account), you can use the Google Cloud Console or the gcloud command-line tool.

Cloud Console

Complete the following steps in the Cloud Console.

  1. Open the IAM & Admin page in the Cloud Console.

    Open the IAM & Admin page

  2. To choose a project, click Select, select the project that you want, and click Open.

  3. Identify the member to which you want to add a role.

    • If the member isn't already on the members list, it doesn't have any roles assigned to it. Click Add and enter the identifier of the member. For example, alice@example.com.
    • If the member is already on the members list, it has existing roles. To edit the member's roles, click the Edit button. Then click the Add another role button.
  4. Click the Select a role drop-down menu, and select AI Notebooks to show the available AI Platform Notebooks IAM roles. These roles will restrict a member's access to only the AI Platform Notebooks resources within a project.

  5. Select a role.

  6. Click Save to apply the roles.

gcloud tool

Complete the following steps using the gcloud command-line tool.

To grant a role to a member, run the gcloud tool's add-iam-policy-binding command:

gcloud projects add-iam-policy-binding project-id \
    --member member-id --role role-name

Provide the following values:

  • project-id: The ID of the project that you wish to grant access to.

  • member-id: An identifier for the member (user, group, or service account) that needs access. For example: user:alice@example.com, group:admins@example.com, or serviceAccount:my-other-app@appspot.gserviceaccount.com.

  • role-name: The name of the role. See the list of AI Platform Notebooks IAM roles. These roles will restrict a member's access to only the AI Platform Notebooks resources within a project.

For example, to grant the roles/notebooks.viewer role to the user alice@example.com for the project my-project:

gcloud projects add-iam-policy-binding my-project \
    --member user:alice@example.com --role roles/notebooks.viewer

Revoking access

To revoke access, use one of the following methods:

Cloud Console

Complete the following steps in the Cloud Console.

  1. Open the IAM & Admin page in the Cloud Console.

    Open the IAM & Admin page

  2. To choose a project, click Select, select the project that you want, and click Open.

  3. Locate the member for whom you want to revoke access, and then click the Edit button on the right.

  4. Click the Delete button for each role you want to revoke.

  5. Click Save.

gcloud tool

Complete the following steps using the gcloud command-line tool.

To revoke a role from a member, run the gcloud tool's remove-iam-policy-binding command:

gcloud projects remove-iam-policy-binding project-id \
    --member member-id --role role-name

Provide the following values:

  • project-id: The project ID.

  • member-id: An identifier for the member (user, group, or service account). For example: user:alice@example.com, group:admins@example.com, or serviceAccount:my-other-app@appspot.gserviceaccount.com.

  • role-name: The name of the role to revoke.

For example, to revoke the roles/notebooks.viewer role from the user alice@example.com for the project my-project:

gcloud projects remove-iam-policy-binding my-project \
    --member user:alice@example.com --role roles/notebooks.viewer

What's next