AI Platform Prediction uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.
There are three types of IAM roles that can be used in AI Platform Prediction:
Basic roles (Owner, Viewer, and Editor) are common to all Google Cloud services.
Predefined AI Platform Prediction roles give you fine-grained access control to your AI Platform Prediction resources at the project and model levels.
Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.
This guide focuses on predefined AI Platform Prediction roles, their typical usage, and associated permissions.
The guide focuses on roles and permissions that you need to access AI Platform Prediction resources. To learn more about the permissions that these resources themselves have to access other Google Cloud resources, read about the AI Platform service agent and custom service accounts.
Basic roles
The legacy AI Platform Prediction IAM roles are based on the basic roles that are common to all GCP services: Owner, Viewer, and Editor.
The legacy project Editor role is equivalent to the AI Platform Prediction Admin role.
The legacy project Viewer role grants the same permissions as the AI Platform Prediction Viewer role, plus access to send online prediction requests. The advantage to using the AI Platform Prediction Viewer role is that the user gets read-only access to AI Platform Prediction resources.
Predefined roles
Predefined roles grant a set of related permissions. AI Platform Prediction offers predefined roles for your project, and also for individual models, jobs, and operations.
To view a full list of permissions for each role, click on the name of the role.
Project roles
The AI Platform Prediction Admin, Developer, and Viewer roles grant varying levels of access to resources at the project level.
To add, update, or remove these roles in your AI Platform Prediction project, see the documentation on granting, changing, and revoking access.
| Role Title | Role Name | Capabilities |
|---|---|---|
| AI Platform Prediction Admin |
Full control of AI Platform Prediction project, and its jobs, operations, models, and versions. Note: The basic project Editor role is equivalent to
|
|
| AI Platform Prediction Developer |
Create training and prediction jobs, models and versions, and send online prediction requests. |
|
| AI Platform Prediction Viewer |
Read-only access to AI Platform Prediction resources. |
Model roles
The AI Platform Prediction Model Owner and Model User roles grant varying permissions to a particular model resource.
You can share models with individuals or services by granting them the Model User role.
| Role Title | Role Name | Capabilities |
|---|---|---|
| AI Platform Prediction Model Owner |
Full access to the model and its versions. This role is automatically granted to the user who creates the model. |
|
| AI Platform Prediction Model User |
Permissions to read the model and its versions, and use them for prediction. Granting this role makes it easy to share specific models. |
Job and operation roles
Similar to the Model Owner role, there are owner roles at the job and operation resource levels that are assigned automatically to the user who creates the job or operation. These roles allow the user full control of any job or operation they create. For more information, see the permissions for job and operation roles.
Permissions and roles
Refer to this section for a full list of permissions that are granted with each AI Platform Prediction predefined role. If these predefined roles do not meet your needs, use this section as a reference for creating your own custom roles.
Admin role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.admin
|
AI Platform Prediction Admin
Full access to your AI Platform Prediction project, and its jobs, operations, models, and versions. Note: Migrating to this role from the basic project
Editor role is fairly simple. If you previously used the
basic Editor role assigned at the project level, you can
use this |
|
Developer role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.developer
|
Access to create training and prediction jobs, models and versions, and send online prediction requests. Note: A developer receives Recommendation: Grant the developer read-only access to the AI Platform Prediction logs for troubleshooting purposes. |
|
Viewer role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.viewer
|
Read-only access to AI Platform Prediction resources on a particular project. Note: The legacy project Viewer role grants a user the
same permissions as the |
|
Model Owner role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.modelOwner
|
Full access to the model and its versions. This role is automatically granted to the user who creates the model. |
|
Model User role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.modelUser
|
Permissions to read the model and its versions, and to use them for prediction. |
|
Job Owner role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.jobOwner
|
Full access to all permissions for a particular job resource. The Job Owner role is granted automatically to the user who creates that job. For example, a user who has the AI Platform Prediction Developer role on a project can create jobs, list all jobs, and get all jobs in a given project. The Developer has access to cancel only the job(s) they have created. |
|
Operation Owner role
| Role Name | Description | Permissions |
|---|---|---|
roles/ml.operationOwner
|
Full access to all permissions for a particular operation resource. The Operation Owner role is granted to the user automatically on any operations that the user indirectly creates when creating a version or a model, so that the user always can get and cancel their own operations. |
|
Permissions needed for prediction
For convenience, this table summarizes the permissions that are specifically required for training and prediction:
| Task | Required Permission(s) |
|---|---|
| Batch prediction |
Note: You can create a batch prediction job without a deployed
version by specifying the location of a model saved in
Cloud Storage. This type of batch prediction job requires
only the To create a batch prediction job that uses a deployed
version, you will also need either |
| Online prediction |
|
Permissions required for methods
For convenience, this section lists the permissions required to call each method in AI Platform Prediction:
| Method | Required Permission(s) |
|---|---|
| projects.getConfig | ml.projects.getConfig |
| projects.jobs.cancel | ml.jobs.cancel |
| projects.jobs.create | ml.jobs.create
Note: To create a batch prediction job that uses a deployed
version, you will also need either |
| projects.jobs.get | ml.jobs.get |
| projects.jobs.list | ml.jobs.list |
| projects.models.create | ml.models.create |
| projects.models.delete | ml.models.delete |
| projects.models.get | ml.models.get |
| projects.models.list | ml.models.list |
| projects.models.versions.create | ml.versions.create |
| projects.models.versions.delete | ml.versions.delete |
| projects.models.versions.get | ml.versions.get |
| projects.models.versions.list | ml.versions.list |
| projects.models.versions.setDefault | ml.models.update |
| projects.operations.cancel | ml.operations.cancel |
| projects.operations.get | ml.operations.get |
| projects.operations.list | ml.operations.list |
Permissions required for storage
When you deploy your trained model on AI Platform Prediction to get predictions, you upload your saved model files to Cloud Storage. Within the Cloud Storage bucket, your model files are objects. You must ensure that your AI Platform Prediction service account can access the files for your trained model in your Cloud Storage bucket.
Grant your AI Platform Prediction service account a Cloud Storage IAM role that includes the following permissions at minimum:
| Required Permission(s) | Explanation |
|---|---|
storage.buckets.list
|
Allows your AI Platform Prediction project to find model files in your Cloud Storage bucket. |
storage.objects.get
|
Allows your AI Platform Prediction project to read your model files in your Cloud Storage bucket. |
See how to configure Cloud Storage permissions for AI Platform Prediction.