AI Platform Prediction uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account. To share a model, you grant a role that gives access to your model and its versions.
This guide focuses on two predefined AI Platform Prediction roles that can be used to grant access to model resources:
- AI Platform Prediction Model Owner
- AI Platform Prediction Model User
For details on other roles, see the full explanation of all the IAM roles available for use with AI Platform Prediction.
Before you begin
- Train your machine learning model.
- Deploy your model to AI Platform Prediction.
Model roles
The AI Platform Prediction Model Owner and Model User roles grant varying permissions to a particular model resource.
You can share models with individuals or services by granting them the Model User role.
Role Title | Role Name | Capabilities |
---|---|---|
AI Platform Prediction Model Owner |
Full access to the model and its versions. This role is automatically granted to the user who creates the model. |
|
AI Platform Prediction Model User |
Permissions to read the model and its versions, and use them for prediction. Granting this role makes it easy to share specific models. |
Granting individuals and service accounts access to a model
This example demonstrates how to edit an IAM policy for a particular model by
granting the Model Owner or Model User roles to individuals and service
accounts. You can edit the policy file using the API,
gcloud
, or the Google Cloud console.
Console
Share a model with a user or service account
Open the AI Platform Prediction Models page.
Select the checkbox for each model you would like to share.
Click the Show Info Panel button in the upper right corner to display the Permissions tab.
In the Add Members field, add the Google account(s) for the user(s) you want to share the model with. For example, "email1@gmail.com".
In the Select a role drop-down field, select the role you want to add for the user(s). To share a model resource, select ML Engine Model Owner or ML Engine Model User.
If you are not sure which role to select, see more details on model roles.
Click the Add button next to the Select a role drop-down field to finalize your role selections.
The Google Cloud console page refreshes and displays the roles you have assigned in the Permissions tab with a list of members associated with the role.
To stop sharing a model with a user or service account, click the trash icon next to the account ID.
gcloud
Modifying a model policy by editing the policy file directly
You can use either JSON or YAML files with the gcloud
commands. This
example uses JSON.
Get the policy that you want to modify, and write it to a JSON file.
gcloud ai-platform models get-iam-policy <MODEL_NAME> --format json > iam.json
Open the policy file (
iam.json
in this example), or runcat iam.json
to see the policy. In the following example policy, the service account is assigned the AI Platform Prediction Model Owner role so that it has access to online prediction.{ "bindings": [ { "role": "roles/ml.modelOwner", "members": [ "serviceAccount:my-other-app@appspot.gserviceaccount.com", "user:email1@gmail.com" ] } ], "etag": "BwVUJYGz8M4=", }
Using a text editor, update your
iam.json
file as follows. Add a new object to thebindings
array that defines the group members and the role for those members. For example, to grant the roleroles/ml.modelUser
to the useremail2@gmail.com
, change the example shown above as follows:{ "bindings": [ { "role": "roles/ml.modelOwner", "members": [ "serviceAccount:my-other-app@appspot.gserviceaccount.com", "user:email1@gmail.com" ] }, { "role": "roles/ml.modelUser", "members": [ "user:email2@gmail.com" ] } ], "etag": "BwVUJYGz8M4=", }
Update the project's policy by running the following command:
gcloud ai-platform models set-iam-policy <MODEL_NAME> iam.json
The command outputs the updated policy in YAML:
bindings: - members: - user:email1@gmail.com - serviceAccount:otherapp@appspot.gserviceaccount.com role: roles/ml.modelOwner - members: - user:email2@gmail.com role: roles/ml.modelUser etag: BwVUJYGz8M4=
Modifying a policy with policy binding commands
Use the add-iam-policy-binding
and remove-iam-policy-binding
commands to grant, revoke, and update access to models.
Share a model with a user
Use the
add-iam-policy-binding
command to add a user to an existing AI Platform Prediction model policy as follows:gcloud ai-platform models add-iam-policy-binding <MODEL_NAME> \ --member user:email3@gmail.com --role roles/ml.modelUser
The command outputs the updated policy:
bindings: - members: - user:email1@gmail.com - serviceAccount:otherapp@appspot.gserviceaccount.com role: roles/ml.modelOwner - members: - user:email2@gmail.com - user:email3@gmail.com role: roles/ml.modelUser etag: BwVUJYGz8M4=
Share a model with a service
Use the
add-iam-policy-binding
command to add a service account to an existing AI Platform Prediction model policy as follows:gcloud ai-platform models add-iam-policy-binding <MODEL_NAME> \ --member=serviceAccount:newserviceapp@appspot.gserviceaccount.com \ --role=roles/ml.modelOwner
The command outputs the updated policy:
bindings: - members: - user:email1@gmail.com - serviceAccount:otherapp@appspot.gserviceaccount.com - serviceAccount:newserviceapp@appspot.gserviceaccount.com role: roles/ml.modelOwner - members: - user:email2@gmail.com - user:email3@gmail.com role: roles/ml.modelUser etag: BwVUJYGz8M4=
Stop sharing a model
To stop sharing a model with a user or service, use the
remove-iam-policy-binding
command to remove the user or service from an existing AI Platform Prediction model policy. In this example, we remove the Model Owneremail1@gmail.com
from the model policy.gcloud ai-platform models remove-iam-policy-binding <MODEL_NAME> \ --member=user:email1@gmail.com \ --role=roles/ml.modelOwner
The command outputs the updated policy:
bindings: - members: - serviceAccount:otherapp@appspot.gserviceaccount.com - serviceAccount:newserviceapp@appspot.gserviceaccount.com role: roles/ml.modelOwner - members: - user:email2@gmail.com - user:email3@gmail.com role: roles/ml.modelUser etag: BwVUJYGz8M4=
REST API
Modifying policy via JSON API
Get the existing policy by sending the following request:
GET https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy
The command returns the current policy in the response:
{ "bindings": [ { "role": "roles/ml.modelOwner", "members": [ "serviceAccount:my-other-app@appspot.gserviceaccount.com", "user:email1@gmail.com" ] } ] }
Once you have modified the policy, update it by sending the following request:
POST https://ml.googleapis.com/v1/projects/<project>/models/<model>:setIamPolicy
The command returns the updated policy in the response. In this example, we have added the user
email2@gmail.com
as a Model User:{ "policy": { "bindings": [ { "role": "roles/ml.modelOwner", "members": [ "serviceAccount:my-other-app@appspot.gserviceaccount.com", "user:email1@gmail.com" ] }, { "role": "roles/ml.modelUser", "members": [ "user:email2@gmail.com" ] } ] } }
To get an access token:
gcloud auth print-access-token
When calling the API, pass the token value as a bearer token in an Authorization header:
curl -s -H 'Authorization: Bearer <ACCESS_TOKEN>' \ https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy