You can grant and restrict access to Vertex AI Workbench for an
organization or a project. To do so, you define an organization policy using the
GDCHRestrictedService policy type, which lets you restrict which service you
can use on Google Distributed Cloud (GDC) air-gapped. When applied, the policy prevents the
use of the APIs that it references.
For example, you can use this policy type to restrict the use of Vertex AI Workbench to specific projects. Only non-restricted organizations or projects can create or update JupyterLab notebooks. You can also use the policy to completely restrict access to the Vertex AI Workbench service because you want to run tests before allowing your teams to use it.
This page describes how to grant and restrict access to
Vertex AI Workbench using the GDCHRestrictedService policy type. To
learn more about organization policies and how to edit the
GDCHRestrictedService organization policy, see
Configure organization policies.
Before you begin
To get the permissions you need to grant or restrict access to
Vertex AI Workbench for an organization or a project, ask your
Organization IAM Admin to grant you the GDC Restricted
Service Policy Admin (gdchrestrictedservice-policy-admin) cluster role in your
project namespace.
For more information about this role, see Prepare IAM permissions.
Restrict access to Vertex AI Workbench for your organization
To restrict access to Vertex AI Workbench for your organization, edit the
GDCHRestrictedService policy type by adding the aiplatform.gdc.goog API
group and the Notebook kind to the kinds field of the policy.
The following example shows how the kinds field looks in the
GDCHRestrictedService policy type when you restrict access to
Vertex AI Workbench for your entire organization:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: restrict-notebook-for-organization
spec:
match:
scope: "Namespaced"
kinds:
- apiGroups:
- "aiplatform.gdc.goog"
kinds:
- Notebook
[...]
To restore an organization's access to Vertex AI Workbench, see Grant access to Vertex AI Workbench for your organization.
Restrict access to Vertex AI Workbench for a project
To restrict access to Vertex AI Workbench for a project, edit the
GDCHRestrictedService policy type by adding the aiplatform.gdc.goog API
group and the Notebook kind to the kinds field of the policy for the project
namespace.
The difference with restricting access for an organization
is that you must specify the namespace that the policy should impact. Add the
namespaces field to the policy with your project namespace.
The following example shows how the kinds field looks in the
GDCHRestrictedService policy type when you restrict access to
Vertex AI Workbench for a project:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: restrict-notebook-for-organization
spec:
match:
scope: "Namespaced"
namespaces: [PROJECT_NAMESPACE]
kinds:
- apiGroups:
- "aiplatform.gdc.goog"
kinds:
- Notebook
[...]
Replace PROJECT_NAMESPACE with the namespace of the project
where you want to restrict access to Vertex AI Workbench.
Grant access to Vertex AI Workbench for your organization
By default, Distributed Cloud organizations have access to Vertex AI Workbench. However, if you restricted access to Vertex AI Workbench for your organization, you can grant access again.
Follow these steps to grant access to Vertex AI Workbench for all the projects in your organization:
Identify the
GDCHRestrictedServicepolicy type in your organization.Find the
aiplatform.gdc.googAPI group and theNotebookkind in the policy.If the
aiplatform.gdc.googAPI group and theNotebookkind are the only content in thekindsfield of the policy, delete theGDCHRestrictedServiceresource.If the
GDCHRestrictedServicepolicy contains other restricted services, remove theaiplatform.gdc.googAPI group and theNotebookkind from thekindsfield and save the changes to the policy.