You can configure AI Platform Training to use a service account of your choice when it runs your training application. Using a custom service account lets you customize what Google Cloud resources your training code can access without granting overly broad permissions to the service account that your AI Platform Training uses by default.
Understanding the Google-managed service account
By default, AI Platform Training uses a Google-managed service account to run training jobs. This service account is identified by an email address with the following format:
PROJECT_NUMBER is replaced by the project number for your Google Cloud project.
Find the corresponding service account for your AI Platform project in
the Google Cloud Console or by using the
gcloud command-line tool:
Go to the IAM page in the Cloud Console and find the member that
matches the email address format described previously in this section. The
service account also has the name
Google Cloud ML Engine Service Agent.
Run the following command in a Shell environment where you have initialized
gcloud projects get-iam-policy PROJECT_ID \ --flatten="bindings.members" \ --format="table(bindings.members)" \ --filter="bindings.role:roles/ml.serviceAgent" \ | grep serviceAccount:
Replace PROJECT_ID with the ID of your Google Cloud project.
This command outputs the following:
GOOGLE_MANAGED_SERVICE_ACCOUNT is the email address of your project's AI Platform Training Google-managed service account.
This Google-managed service account has permissions that are appropriate for running most training jobs. For example, it can read from and write to Cloud Storage buckets in the same Google Cloud project.
If you need your training applications to run with additional permissions, you can assign additional Identity and Access Management roles to this service account. For example, you can give it access to Cloud Storage buckets in other Google Cloud projects.
Using a custom service account
If you want to grant or limit Google Cloud permissions for a specific training job, use a custom service account to run your training application in place of the Google-managed service account.
To do this, first set up a custom service account. Then specify the custom service account when you create a training job.
Set up a custom service account
To set up a custom service account that you can use to run training jobs, do the following:
Grant your new service account IAM roles to provide your training application with any permissions that it needs when it runs.
Grant your project's AI Platform Training Google-managed-service account the
roles/iam.serviceAccountAdminrole for your new custom service account. To do so, use the
gcloudtool to run the following command:
gcloud iam service-accounts add-iam-policy-binding \ --role=roles/iam.serviceAccountAdmin \ --member=GOOGLE_MANAGED_SERVICE_ACCOUNT \ CUSTOM_SERVICE_ACCOUNT
In this command, replace the following placeholders:
GOOGLE_MANAGED_SERVICE_ACCOUNT: The email address of your project's
Google Cloud ML Engine Service Agent. Learn how to find this email address in a previous section of this guide.
CUSTOM_SERVICE_ACCOUNT: The email address of the new user-managed service account that you just created in a previous step of this section.
Specify the custom service account for your training job
If you use the
gcloud tool to create a training job, you must use a
config.yaml file to specify
this field. For example:
trainingInput: serviceAccount: CUSTOM_SERVICE_ACCOUNT
Learn how to create a training job, and read about additional configuration options for your jobs.
Learn more about service accounts.