This legacy version of AI Platform Prediction is deprecated and will no longer be available on Google Cloud after January 31, 2025. All models, associated metadata, and deployments will be deleted after January 31, 2025. Migrate your resources to Vertex AI to get new machine learning features that are unavailable in AI Platform.

Sharing models

AI Platform Prediction uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account. To share a model, you grant a role that gives access to your model and its versions.

This guide focuses on two predefined AI Platform Prediction roles that can be used to grant access to model resources:

AI Platform Prediction Model Owner
AI Platform Prediction Model User

For details on other roles, see the full explanation of all the IAM roles available for use with AI Platform Prediction.

Before you begin

Train your machine learning model.
Deploy your model to AI Platform Prediction.

Model roles

The AI Platform Prediction Model Owner and Model User roles grant varying permissions to a particular model resource.

You can share models with individuals or services by granting them the Model User role.

Role Title	Role Name	Capabilities
AI Platform Prediction Model Owner	`roles/ml.modelOwner`	Full access to the model and its versions. This role is automatically granted to the user who creates the model.
AI Platform Prediction Model User	`roles/ml.modelUser`	Permissions to read the model and its versions, and use them for prediction. Granting this role makes it easy to share specific models.

Granting individuals and service accounts access to a model

This example demonstrates how to edit an IAM policy for a particular model by granting the Model Owner or Model User roles to individuals and service accounts. You can edit the policy file using the API, gcloud, or the Google Cloud console.

Console

Share a model with a user or service account

Open the AI Platform Prediction Models page.

Open AI Platform Prediction models page
Select the checkbox for each model you would like to share.
Click the Show Info Panel button in the upper right corner to display the Permissions tab.
In the Add Members field, add the Google account(s) for the user(s) you want to share the model with. For example, "email1@gmail.com".
In the Select a role drop-down field, select the role you want to add for the user(s). To share a model resource, select ML Engine Model Owner or ML Engine Model User.

If you are not sure which role to select, see more details on model roles.
Click the Add button next to the Select a role drop-down field to finalize your role selections.
The Google Cloud console page refreshes and displays the roles you have assigned in the Permissions tab with a list of members associated with the role.

To stop sharing a model with a user or service account, click the trash icon next to the account ID.

gcloud

Modifying a model policy by editing the policy file directly

You can use either JSON or YAML files with the gcloud commands. This example uses JSON.

Get the policy that you want to modify, and write it to a JSON file.

gcloud ai-platform models get-iam-policy <MODEL_NAME> --format json > iam.json

Open the policy file (iam.json in this example), or run cat iam.json to see the policy. In the following example policy, the service account is assigned the AI Platform Prediction Model Owner role so that it has access to online prediction.

 {
    "bindings": [
    {
        "role": "roles/ml.modelOwner",
        "members": [
            "serviceAccount:my-other-app@appspot.gserviceaccount.com",
            "user:email1@gmail.com"
        ]
    }
    ],
    "etag": "BwVUJYGz8M4=",
 }

Using a text editor, update your iam.json file as follows. Add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/ml.modelUser to the user email2@gmail.com, change the example shown above as follows:

 {
    "bindings": [
    {
        "role": "roles/ml.modelOwner",
        "members": [
            "serviceAccount:my-other-app@appspot.gserviceaccount.com",
            "user:email1@gmail.com"
        ]
    },
    {
        "role": "roles/ml.modelUser",
        "members": [
            "user:email2@gmail.com"
        ]
    }
    ],
    "etag": "BwVUJYGz8M4=",
 }

Update the project's policy by running the following command:

gcloud ai-platform models set-iam-policy <MODEL_NAME> iam.json

The command outputs the updated policy in YAML:

bindings:
- members:
  - user:email1@gmail.com
  - serviceAccount:otherapp@appspot.gserviceaccount.com
  role: roles/ml.modelOwner
- members:
  - user:email2@gmail.com
  role: roles/ml.modelUser
etag: BwVUJYGz8M4=

Modifying a policy with policy binding commands

Use the add-iam-policy-binding and remove-iam-policy-binding commands to grant, revoke, and update access to models.

Share a model with a user

Use the add-iam-policy-binding command to add a user to an existing AI Platform Prediction model policy as follows:

gcloud ai-platform models add-iam-policy-binding <MODEL_NAME> \
    --member user:email3@gmail.com --role roles/ml.modelUser

The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
      - serviceAccount:otherapp@appspot.gserviceaccount.com
      role: roles/ml.modelOwner
    - members:
      - user:email2@gmail.com
      - user:email3@gmail.com
      role: roles/ml.modelUser
    etag: BwVUJYGz8M4=

Share a model with a service

Use the add-iam-policy-binding command to add a service account to an existing AI Platform Prediction model policy as follows:

gcloud ai-platform models add-iam-policy-binding <MODEL_NAME> \
    --member=serviceAccount:newserviceapp@appspot.gserviceaccount.com \
    --role=roles/ml.modelOwner

The command outputs the updated policy:

  bindings:
  - members:
    - user:email1@gmail.com
    - serviceAccount:otherapp@appspot.gserviceaccount.com
    - serviceAccount:newserviceapp@appspot.gserviceaccount.com
    role: roles/ml.modelOwner
  - members:
    - user:email2@gmail.com
    - user:email3@gmail.com
    role: roles/ml.modelUser
  etag: BwVUJYGz8M4=

Stop sharing a model

To stop sharing a model with a user or service, use the remove-iam-policy-binding command to remove the user or service from an existing AI Platform Prediction model policy. In this example, we remove the Model Owner email1@gmail.com from the model policy.

gcloud ai-platform models remove-iam-policy-binding <MODEL_NAME> \
      --member=user:email1@gmail.com \
      --role=roles/ml.modelOwner

The command outputs the updated policy:

  bindings:
  - members:
    - serviceAccount:otherapp@appspot.gserviceaccount.com
    - serviceAccount:newserviceapp@appspot.gserviceaccount.com
    role: roles/ml.modelOwner
  - members:
    - user:email2@gmail.com
    - user:email3@gmail.com
    role: roles/ml.modelUser
  etag: BwVUJYGz8M4=

REST API

Modifying policy via JSON API

Get the existing policy by sending the following request:

GET https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy

The command returns the current policy in the response:

   {
      "bindings": [
      {
          "role": "roles/ml.modelOwner",
          "members": [
              "serviceAccount:my-other-app@appspot.gserviceaccount.com",
              "user:email1@gmail.com"
          ]
      }
      ]
   }

Once you have modified the policy, update it by sending the following request:

POST https://ml.googleapis.com/v1/projects/<project>/models/<model>:setIamPolicy

The command returns the updated policy in the response. In this example, we have added the user email2@gmail.com as a Model User:

    {
       "policy": {
           "bindings": [
           {
               "role": "roles/ml.modelOwner",
               "members": [
                   "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                   "user:email1@gmail.com"
               ]
           },
           {
               "role": "roles/ml.modelUser",
               "members": [
                   "user:email2@gmail.com"
               ]
           }
           ]
       }
    }

To get an access token:
```
gcloud auth print-access-token
```

When calling the API, pass the token value as a bearer token in an Authorization header:

curl -s -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy