Manage access to a runtime template

This page describes how you can grant and revoke access to a runtime template in Colab Enterprise.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Vertex AI, Dataform, and Compute Engine APIs.

Enable the APIs

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Vertex AI, Dataform, and Compute Engine APIs.

Enable the APIs

Required roles

To ensure that your user account has the necessary permissions to manage access to a runtime template, ask your administrator to grant your user account the Colab Enterprise Admin (roles/aiplatform.colabEnterpriseAdmin) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

Your administrator might also be able to give your user account the required permissions through custom roles or other predefined roles.

One or more of the required roles includes the dataform.repositories.list permission. Users who are granted the dataform.repositories.list permission or the Code Creator (roles/dataform.codeCreator) role in a project can list the names of code assets in that project by using the Dataform API or the Dataform command-line interface (CLI). Non-administrators using BigQuery Studio can only see code assets that they created or that were shared with them.

Grant access to a runtime template

To grant a principal access to a runtime template, you can use the Google Cloud console or the Google Cloud CLI.

Console

In the Google Cloud console, go to the Colab Enterprise Runtime Templates page.

Go to Runtime templates
In the Region menu, select the region that contains your runtime template.
In the Runtime template menu, select a runtime template. If there aren't any runtime templates listed, create a runtime template.
Click Permissions.
In the Permissions window, click Add principal.
In the Grant access dialog, in the New principals field, enter one or a comma separated list of principals.
In the Select a role menu, complete the dialog to assign a role.
Optional: Click Add another role, and repeat the last step.
Click Save.

gcloud

Before using any of the command data below, make the following replacements:

RUNTIME_TEMPLATE_ID: the ID of your runtime template.
PRINCIPAL: the principal to add the binding for.
ROLE: the role name to assign to the principal.
PROJECT_ID: your project ID.
REGION: the region where your runtime template is located.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud colab runtime-templates add-iam-policy-binding RUNTIME_TEMPLATE_ID \
    --member=PRINCIPAL \
    --role=ROLE \
    --project=PROJECT_ID \
    --region=REGION

Windows (PowerShell)

gcloud colab runtime-templates add-iam-policy-binding RUNTIME_TEMPLATE_ID `
    --member=PRINCIPAL `
    --role=ROLE `
    --project=PROJECT_ID `
    --region=REGION

Windows (cmd.exe)

gcloud colab runtime-templates add-iam-policy-binding RUNTIME_TEMPLATE_ID ^
    --member=PRINCIPAL ^
    --role=ROLE ^
    --project=PROJECT_ID ^
    --region=REGION

For more information about managing IAM policies for runtime templates from the command line, see the gcloud CLI documentation.

Colab Enterprise principals are users, groups, or domains

You can grant access to users, groups, or domains. See the following table:

Principal	Example user account
Single user	`user@gmail.com`
Google group	`admins@googlegroups.com`
Google Workspace domain	`example.com`

Revoke access to a runtime template

To revoke access to a runtime template, you can use the Google Cloud console or the gcloud CLI.

Console

In the Google Cloud console, go to the IAM page.

Go to IAM
Select a project, folder, or organization.
Find the row containing the principal whose access you want to revoke. Then, click Edit principal in that row.

Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.
Click the Delete button for the role that you want to revoke, and then click Save.

gcloud

Before using any of the command data below, make the following replacements:

RUNTIME_TEMPLATE_ID: the ID of your runtime template.
PRINCIPAL: the principal whose access you want to revoke.
ROLE: the role to remove from the principal.
PROJECT_ID: your project ID.
REGION: the region where your runtime template is located.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud colab runtime-templates remove-iam-policy-binding RUNTIME_TEMPLATE_ID \
    --member=PRINCIPAL \
    --role=ROLE \
    --project=PROJECT_ID \
    --region=REGION

Windows (PowerShell)

gcloud colab runtime-templates remove-iam-policy-binding RUNTIME_TEMPLATE_ID `
    --member=PRINCIPAL `
    --role=ROLE `
    --project=PROJECT_ID `
    --region=REGION

Windows (cmd.exe)

gcloud colab runtime-templates remove-iam-policy-binding RUNTIME_TEMPLATE_ID ^
    --member=PRINCIPAL ^
    --role=ROLE ^
    --project=PROJECT_ID ^
    --region=REGION

For more information about managing IAM policies for runtime templates from the command line, see the gcloud CLI documentation.

What's next

To learn how to grant access to a notebook, see Manage access to a notebook.