Access control

This page describes how you use Cloud Identity and Access Management to control access to your AutoML Tables resources, including data sources and results destinations.

Overview of Cloud Identity and Access Management

When you use AutoML Tables, you can manage access to your resources with Cloud Identity and Access Management (Cloud IAM). Cloud IAM lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud IAM permissions and roles for AutoML Tables. For a detailed description of Cloud IAM, see the Cloud IAM documentation.

Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

Cloud IAM lets you control who (user) has what (role) type of access for which resources by granting one or more roles to a user, giving the user certain permissions. For example, you can grant the AutoML Viewer role (roles.automl.viewer) to a user, which allows the user to view resources in the project. If that user needs to create or update resources, you can grant the AutoML Editor role (roles.automl.editor) instead.

Roles

AutoML Tables uses the AutoML API, which provides a set of predefined roles that help you control access to your AutoML resources.

You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need.

In addition, the legacy primitive roles (Editor, Viewer, and Owner) are also available to you, although they do not provide the same fine-grained control as the AutoML roles. If possible, avoid using the primitive roles; they provide access to resources across Google Cloud, rather than just for AutoML. Learn more about primitive roles.

Predefined roles

This section summarizes the predefined roles provided by AutoML.

Role Title Description Permissions Lowest resource
roles/automl.admin AutoML Admin Beta Full access to all AutoML resources
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
Dataset/Model
roles/automl.editor AutoML Editor Beta Editor of all AutoML resources
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
Dataset/Model
roles/automl.predictor AutoML Predictor Beta Predict using models
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Model
roles/automl.viewer AutoML Viewer Beta Viewer of all AutoML resources
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
Dataset/Model

Giving permissions to AutoML Tables in your home project

Sometimes you need to grant additional roles to a service account that AutoML Tables creates automatically. For example, when you use BigQuery external tables backed by Cloud Bigtable data sources, you need to grant additional roles to the automatically created service account, so that it has the required permissions to read and write data for BigQuery and Bigtable.

To grant additional roles to the automatically created service account for AutoML Tables in your home project:

  1. Go to the IAM page of the Cloud Console for your home project.

    Go to the IAM page

  2. Click the pencil icon for the service account with the name AutoML Service Agent.

  3. Grant the required roles to the service account and save your changes.

Giving permissions to AutoML Tables in a different project

When you use data sources or destinations in a different project, you must give the AutoML Tables service account permissions in that project. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.

To add permissions to AutoML Tables in a different project:

  1. Go to the IAM page of the Cloud Console for your home project (the project where you are using AutoML Tables).

    Go to the IAM page

  2. Find the service account with the name AutoML Service Agent and copy its email address (listed under Member).

  3. Change projects to the project where you need to grant the permissions.

  4. Click Add, and enter the email address in New members.

  5. Add all required roles and click Save.

Providing access to Google Sheets

If you use an external BigQuery data source backed by Google Sheets, you must share your sheet with the AutoML service account. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.

To authorize AutoML Tables to access your Sheets file:

  1. Go to the IAM page of the Cloud Console.

    Go to the IAM page

  2. Look for the service account with the name AutoML Service Agent.

  3. Copy the Member name to your clipboard.

    The Member name is an email address, similar to this example:

    service-358517216@gcp-sa-automl.iam.gserviceaccount.com
    
  4. Open your Sheets file and share it with that address.

Managing Cloud IAM roles

You can grant, change, and revoke Cloud IAM roles using the Cloud Console, the Cloud IAM API, or the gcloud command-line tool. For detailed instructions, see Granting, changing, and revoking access to project members.

What's next

Learn more about Cloud Identity and Access Management.