This page describes how you use Cloud Identity and Access Management to control access to your AutoML Tables resources, including data sources and results destinations.
Overview of Cloud Identity and Access Management
When you use AutoML Tables, you can manage access to your resources with Cloud Identity and Access Management (Cloud IAM). Cloud IAM lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud IAM permissions and roles for AutoML Tables. For a detailed description of Cloud IAM, see the Cloud IAM documentation.
Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
Cloud IAM lets you control who (user) has what (role) type of
access for which resources by granting one or more roles to a user, giving
the user certain permissions. For example, you can grant the AutoML Viewer role
roles.automl.viewer) to a user, which allows the user to view resources in
the project. If that user needs to create or update resources, you can grant the
AutoML Editor role (
AutoML Tables uses the AutoML API, which provides a set of predefined roles that help you control access to your AutoML resources.
You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need.
In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also available to you, although they do not provide the same fine-grained control as the AutoML roles. If possible, avoid using the primitive roles; they provide access to resources across Google Cloud, rather than just for AutoML. Learn more about primitive roles.
This section summarizes the predefined roles provided by AutoML.
||AutoML Admin Beta||Full access to all AutoML resources||
||AutoML Editor Beta||Editor of all AutoML resources||
||AutoML Predictor Beta||Predict using models||
||AutoML Viewer Beta||Viewer of all AutoML resources||
Giving permissions to AutoML Tables in your home project
Sometimes you need to grant additional roles to a service account that AutoML Tables creates automatically. For example, when you use BigQuery external tables backed by Cloud Bigtable data sources, you need to grant additional roles to the automatically created service account, so that it has the required permissions to read and write data for BigQuery and Bigtable.
To grant additional roles to the automatically created service account for AutoML Tables in your home project:
Go to the IAM page of the Cloud Console for your home project.
Click the pencil icon for the service account with the name
AutoML Service Agent.
Grant the required roles to the service account and save your changes.
Giving permissions to AutoML Tables in a different project
When you use data sources or destinations in a different project, you must give the AutoML Tables service account permissions in that project. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.
To add permissions to AutoML Tables in a different project:
Go to the IAM page of the Cloud Console for your home project (the project where you are using AutoML Tables).
Find the service account with the name
AutoML Service Agentand copy its email address (listed under Member).
Change projects to the project where you need to grant the permissions.
Click Add, and enter the email address in New members.
Add all required roles and click Save.
Providing access to Google Sheets
If you use an external BigQuery data source backed by Google Sheets, you must share your sheet with the AutoML service account. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.
To authorize AutoML Tables to access your Sheets file:
Go to the IAM page of the Cloud Console.
Look for the service account with the name
AutoML Service Agent.
Copy the Member name to your clipboard.
The Member name is an email address, similar to this example:
Open your Sheets file and share it with that address.
Managing Cloud IAM roles
You can grant, change, and revoke Cloud IAM roles using the
Cloud Console, the Cloud IAM API, or the
tool. For detailed instructions, see
Granting, changing, and revoking access to project members.
Learn more about Cloud Identity and Access Management.