Access control with IAM

This page describes how you use Identity and Access Management to control access to your AutoML Tables resources, including data sources and results destinations.

Overview of Identity and Access Management

When you use AutoML Tables, you can manage access to your resources with Identity and Access Management (IAM). IAM lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM permissions and roles for AutoML Tables. For a detailed description of IAM, see the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (user) has what (role) type of access for which resources by granting one or more roles to a user, giving the user certain permissions. For example, you can grant the AutoML Viewer role (roles.automl.viewer) to a user, which allows the user to view resources in the project. If that user needs to create or update resources, you can grant the AutoML Editor role (roles.automl.editor) instead.

Roles

AutoML Tables uses the AutoML API, which provides a set of predefined roles that help you control access to your AutoML resources.

You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need.

In addition, the older basic roles (Editor, Viewer, and Owner) are also available to you, although they do not provide the same fine-grained control as the AutoML roles. If possible, avoid using the basic roles; they provide access to resources across Google Cloud, rather than just for AutoML. Learn more about basic roles.

Predefined roles

This section summarizes the predefined roles provided by AutoML.

Role Permissions

(roles/automl.admin)

Full access to all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.*

  • automl.annotationSpecs.create
  • automl.annotationSpecs.delete
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotationSpecs.update
  • automl.annotations.approve
  • automl.annotations.create
  • automl.annotations.list
  • automl.annotations.manipulate
  • automl.annotations.reject
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.columnSpecs.update
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.getIamPolicy
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.setIamPolicy
  • automl.datasets.update
  • automl.examples.delete
  • automl.examples.get
  • automl.examples.list
  • automl.examples.update
  • automl.files.delete
  • automl.files.list
  • automl.humanAnnotationTasks.create
  • automl.humanAnnotationTasks.delete
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.getIamPolicy
  • automl.locations.list
  • automl.locations.setIamPolicy
  • automl.modelEvaluations.create
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.getIamPolicy
  • automl.models.list
  • automl.models.predict
  • automl.models.setIamPolicy
  • automl.models.undeploy
  • automl.operations.cancel
  • automl.operations.delete
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • automl.tableSpecs.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/automl.editor)

Editor of all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.annotationSpecs.*

  • automl.annotationSpecs.create
  • automl.annotationSpecs.delete
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotationSpecs.update

automl.annotations.*

  • automl.annotations.approve
  • automl.annotations.create
  • automl.annotations.list
  • automl.annotations.manipulate
  • automl.annotations.reject

automl.columnSpecs.*

  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.columnSpecs.update

automl.datasets.create

automl.datasets.delete

automl.datasets.export

automl.datasets.get

automl.datasets.import

automl.datasets.list

automl.datasets.update

automl.examples.*

  • automl.examples.delete
  • automl.examples.get
  • automl.examples.list
  • automl.examples.update

automl.files.*

  • automl.files.delete
  • automl.files.list

automl.humanAnnotationTasks.*

  • automl.humanAnnotationTasks.create
  • automl.humanAnnotationTasks.delete
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.*

  • automl.modelEvaluations.create
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list

automl.models.create

automl.models.delete

automl.models.deploy

automl.models.export

automl.models.get

automl.models.list

automl.models.predict

automl.models.undeploy

automl.operations.*

  • automl.operations.cancel
  • automl.operations.delete
  • automl.operations.get
  • automl.operations.list

automl.tableSpecs.*

  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • automl.tableSpecs.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/automl.predictor)

Predict using models

Lowest-level resources where you can grant this role:

  • Model

automl.models.predict

resourcemanager.projects.get

resourcemanager.projects.list

(roles/automl.viewer)

Viewer of all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Giving permissions to AutoML Tables in your home project

Sometimes you need to grant additional roles to a service account that AutoML Tables creates automatically. For example, when you use BigQuery external tables backed by Bigtable data sources, you need to grant additional roles to the automatically created service account, so that it has the required permissions to read and write data for BigQuery and Bigtable.

To grant additional roles to the automatically created service account for AutoML Tables in your home project:

  1. Go to the IAM page of the Google Cloud console for your home project.

    Go to the IAM page

  2. Select the Include Google-provided role grants checkbox in the upper righthand corner.

  3. Click the pencil icon for the service account with the name AutoML Service Agent.

  4. Grant the required roles to the service account and save your changes.

Giving permissions to AutoML Tables in a different project

When you use data sources or destinations in a different project, you must give the AutoML Tables service account permissions in that project. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.

To add permissions to AutoML Tables in a different project:

  1. Go to the IAM page of the Google Cloud console for your home project (the project where you are using AutoML Tables).

    Go to the IAM page

  2. Select the Include Google-provided role grants checkbox in the upper righthand corner.

  3. Find the service account with the name AutoML Service Agent and copy its email address (listed under Principal).

  4. Change projects to the project where you need to grant the permissions.

  5. Click Add, and enter the email address in New principals.

  6. Add all required roles and click Save.

Providing access to Google Sheets

If you use an external BigQuery data source backed by Google Sheets, you must share your sheet with the AutoML service account. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.

To authorize AutoML Tables to access your Sheets file:

  1. Go to the IAM page of the Google Cloud console.

    Go to the IAM page

  2. Select the Include Google-provided role grants checkbox in the upper righthand corner.

  3. Look for the service account with the name AutoML Service Agent.

  4. Copy the Principal name to your clipboard.

    The Principal name is an email address, similar to this example:

    service-358517216@gcp-sa-automl.iam.gserviceaccount.com

  5. Open your Sheets file and share it with that address.

Managing IAM roles

You can grant, change, and revoke IAM roles using the Google Cloud console, the IAM API, or the gcloud command-line tool. For detailed instructions, see Granting, changing, and revoking access.

What's next

Learn more about Identity and Access Management.