You can configure AI Platform Prediction to use a service account of your choice when it runs custom code to serve predictions. Specifically, you can specify a custom service account when you do one of the following:
- Create a model version that uses a custom container.
- Create a model version that uses a custom prediction routine.
Using a custom service account lets you customize what Google Cloud resources your custom serving code can access without granting overly broad permissions to the service account that your AI Platform Prediction uses by default.
The guide focuses on AI Platform Prediction resources' permissions to access other Google Cloud resources. To learn about the permissions that you need to access AI Platform Prediction resources themselves, read Access control.
Understanding the Google-managed service account
By default, AI Platform Prediction uses a Google-managed service account to serve online predictions from model versions that don't use custom containers. This service account is identified by an email address with the following format:
service-PROJECT_NUMBER@cloud-ml.google.com.iam.gserviceaccount.com
PROJECT_NUMBER is replaced by the project number for your Google Cloud project.
Find the corresponding service account for your project in the Google Cloud Console
or by using the gcloud command-line tool:
Cloud Console
Go to the IAM page in the Cloud Console and find the member that
matches the email address format described previously in this section. The
service account also has the name Google Cloud ML Engine Service Agent.
gcloud
Run the following command in a Shell environment where you have initialized
the gcloud tool:
gcloud projects get-iam-policy PROJECT_ID \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role:roles/ml.serviceAgent" \
| grep serviceAccount:
Replace PROJECT_ID with the ID of your Google Cloud project.
This command outputs the following:
serviceAccount:GOOGLE_MANAGED_SERVICE_ACCOUNT
GOOGLE_MANAGED_SERVICE_ACCOUNT is the email address of your project's AI Platform Google-managed service account.
This Google-managed service account has permissions that are appropriate for most model versions. For example, it can read from Cloud Storage buckets in the same Google Cloud project.
If you need your custom prediction routines to run with additional permissions, you can assign additional Identity and Access Management (IAM) roles to this service account. For example, you can give it access to Cloud Storage buckets in other Google Cloud projects.
Service account used by default in custom containers
If your model version uses a custom
container, then by default the container
does not run using the AI Platform Google-managed service account; instead, it runs using a service
account managed by AI Platform Prediction. This service account has permission to
read model artifacts
that AI Platform Prediction makes available at a URI stored in the
AIP_STORAGE_URI environment
variable.
You cannot customize the permissions of this service account used by default in custom containers. If you want to customize permissions available to your custom container, read the following sections to use a custom service account with your model version.
Using a custom service account
If you want to grant or limit Google Cloud permissions for a specific model version, use a custom service account in place of the Google-managed service account.
To do this, first set up a custom service account. Then specify the custom service account when you create a model version.
Set up a custom service account
To set up a custom service account, do the following:
Grant your new service account IAM roles to provide your prediction-serving code with any permissions that it needs when it runs.
If the user-managed service account is in a different project than your model versions, configure the user-managed service account so you can attach it to your model versions.
Grant your project's AI Platform Google-managed service account the Service Account Admin role (
roles/iam.serviceAccountAdmin) for your new custom service account. To do so, use thegcloudtool to run the following command:gcloud iam service-accounts add-iam-policy-binding \ --role=roles/iam.serviceAccountAdmin \ --member=serviceAccount:GOOGLE_MANAGED_SERVICE_ACCOUNT \ CUSTOM_SERVICE_ACCOUNTIn this command, replace the following placeholders:
GOOGLE_MANAGED_SERVICE_ACCOUNT: The email address of your project's
Google Cloud ML Engine Service Agent. Learn how to find this email address in a previous section of this guide.CUSTOM_SERVICE_ACCOUNT: The email address of the new user-managed service account that you just created in a previous step of this section.
Specify the custom service account for your model version
To give your prediction-serving code access to a custom service account, specify
the serviceAccount
field
when you create a model version. Recall that the model version must either use
a custom container or a custom prediction
routine.
If you use the gcloud tool to create a model version, you can use the
--service-account flag with the gcloud beta component. For example:
gcloud beta ai-platform versions create VERSION \
--service-account CUSTOM_SERVICE_ACCOUNT \
...
Replace the following:
- VERSION: A name for the model version.
- CUSTOM_SERVICE_ACCOUNT: The email address of the user-managed service account that you set up in a previous section of this guide.
- ...: Additional options for the model version.
What's next
Learn how to create a model version that uses a custom container
Learn how to create a model version that uses a custom prediction routine.
Learn more about service accounts.