Access control with IAM
This page describes how to use Identity and Access Management (IAM) to manage access to Colab Enterprise resources. To manage access for other Vertex AI resources, see Vertex AI access control with IAM.
Control access to notebooks with IAM
You can manage access to Colab Enterprise notebooks (IPYNB files) at the project level or per notebook.
- To grant access to notebooks at the project level, assign one or more roles to a principal (user, group, or service account).
- To grant access to a specific notebook, assign one or more roles to a principal on the notebook. To learn more, see Manage access to a notebook.
Running code that interacts with other Google Cloud services
Granting access to a notebook is limited to the specific permissions related to interacting with the notebook. For example, you can grant the ability to create a notebook, write code in it, or delete the notebook.
To run code that interacts with other Google Cloud services, you must use one of the following methods:
Run code in a runtime with end-user credentials enabled. This means your notebook has the same access to Google Cloud services as your notebook user.
Run code that authenticates and authorizes your notebook to interact with Google Cloud services.
To learn more, see Run code that interacts with Google Cloud.
Types of IAM roles
There are different types of IAM roles that can be used in Colab Enterprise:
Predefined roles let you grant a set of related permissions to your Colab Enterprise resources at the project level.
Basic roles (Owner, Editor, and Viewer) provide access control to your Colab Enterprise resources at the project level, and are common to all Google Cloud services.
Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.
To add, update, or remove these roles in your Colab Enterprise project, see the documentation on managing access to projects, folders, and organizations.
Predefined roles for Colab Enterprise
Colab Enterprise is a part of Vertex AI, and Colab Enterprise resources are managed through the Vertex AI API. Therefore, you can grant principals access to Colab Enterprise resources through Vertex AI roles.
The following table includes all Vertex AI predefined roles.
To use predefined roles for common Colab Enterprise operations, see Colab Enterprise Admin (
roles/aiplatform.colabEnterpriseAdmin
) and Colab Enterprise User (roles/aiplatform.colabEnterpriseUser
).For roles related to runtime management, see Notebook Runtime Admin (
roles/aiplatform.notebookRuntimeAdmin
) and Notebook Runtime User (roles/aiplatform.notebookRuntimeUser
).Vertex AI Administrator (
roles/aiplatform.admin
), Vertex AI User (roles/aiplatform.user
), and Vertex AI Viewer (roles/aiplatform.viewer
) also include Colab Enterprise permissions.
Role | Permissions |
---|---|
Vertex AI Administrator( Grants full access to all resources in Vertex AI |
|
Colab Enterprise Admin( Admin role of using colab enterprise. |
|
Colab Enterprise User( User role of using colab enterprise. |
|
Vertex AI Feature Store EntityType owner( Provides full access to all permissions for a particular entity type resource. Lowest-level resources where you can grant this role:
|
|
Vertex AI Platform Express Admin Beta( Grants admin access to Vertex AI Express |
|
Vertex AI Platform Express User Beta( Grants user access to Vertex AI Express |
|
Vertex AI Feature Store Admin( Grants full access to all resources in Vertex AI Feature Store Lowest-level resources where you can grant this role:
|
|
Vertex AI Feature Store Data Viewer( This role provides permissions to read Feature data. Lowest-level resources where you can grant this role:
|
|
Vertex AI Feature Store Data Writer( This role provides permissions to read and write Feature data. Lowest-level resources where you can grant this role:
|
|
Vertex AI Feature Store Instance Creator( Administrator of Featurestore resources, but not the child resources under Featurestores. Lowest-level resources where you can grant this role:
|
|
Vertex AI Feature Store Resource Viewer( Viewer of all resources in Vertex AI Feature Store but cannot make changes. Lowest-level resources where you can grant this role:
|
|
Vertex AI Feature Store User Beta( Deprecated. Use featurestoreAdmin instead. |
|
Vertex AI Migration Service User( Grants access to use migration service in Vertex AI |
|
Notebook Executor User Beta( Grants users full access to schedules and notebook execution jobs. |
|
Notebook Runtime Admin( Grants full access to all runtime templates and runtimes in Notebook Service. |
|
Notebook Runtime User( Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created. |
|
Vertex AI Tensorboard Web App User Beta( Grants access to the Vertex AI TensorBoard web app. |
|
Vertex AI User( Grants access to use all resource in Vertex AI |
|
Vertex AI Viewer( Grants access to view all resource in Vertex AI |
|
Basic roles
The older Google Cloud basic roles are common to all Google Cloud services. These roles are Owner, Editor, and Viewer.
The basic roles provide permissions across Google Cloud, not just for Colab Enterprise. For this reason, you should use Colab Enterprise roles whenever possible.
Custom roles
If the predefined IAM roles for Colab Enterprise don't meet your needs, you can define custom roles. Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization. For more information, see Understanding IAM custom roles.
Service agents for Colab Enterprise
Colab Enterprise automatically creates and uses service agents to access resources on your behalf. When a service agent is created, the service agent is granted a predefined role for your project.
The following table lists Colab Enterprise service agents, their email addresses, and their respective roles:
Name | Used for | Email address | Role |
---|---|---|---|
Vertex AI Service Agent | Vertex AI capabilities | service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com |
roles/aiplatform.serviceAgent |
Vertex AI Colab Service Agent | Gives Colab Enterprise the proper permissions to function | service-PROJECT_NUMBER@gcp-sa-vertex-nb.iam.gserviceaccount.com |
roles/aiplatform.colabServiceAgent |
Vertex AI Notebook Service Agent | Run notebook-managed resources in the user project with restricted permissions | service-PROJECT_NUMBER@gcp-sa-aiplatform-vm.iam.gserviceaccount.com |
roles/aiplatform.notebookServiceAgent |
If you remove the default roles of the Colab Enterprise service agents, Colab Enterprise can automatically reassign those roles to ensure uninterrupted service functionality. To turn off the Colab Enterprise service, you must turn off the relevant APIs instead of removing roles.
What's next
Learn how to create and manage custom IAM roles.
Learn more about Service agents