You can grant and restrict access to Vertex AI Workbench for an organization or a project.
Before you begin
To get the permissions you need to restrict access to
Vertex AI Workbench for an organization or a project, ask your
Organization IAM Admin to grant you the GDC Restricted
Service Policy Admin (gdchrestrictedservice-policy-admin) cluster role in the
project namespace.
Set the organization policy for Vertex AI Workbench
Use the organization policy to restrict or enable permissions for an
organization or project to create or update a JupyterLab notebook. The
YAML organization policy file, GDCHRestrictedServices, specifies the
organization policy. To learn more, see the following topics:
Restrict access to Vertex AI Workbench from your organization
To restrict access to Vertex AI Workbench from your organization,
edit the GDCHRestrictedServices organization policy by adding kinds and
apiGroups from the following sample code:
apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]
In the following example GDCHRestrictedServices organization
policy, add the last two lines to revoke access to
Vertex AI Workbench from your organization:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: restrict-notebook-for-organization
spec:
match:
scope: "Namespaced"
kinds:
- apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]
To learn more about organization policies and how to edit the
GDCHRestrictedService organization policy, see Define the scope of an
organization policy within a
cluster.
To restore an organization's access to
Vertex AI Workbench, see Grant your organization access to
Vertex AI Workbench.
Restrict access to Vertex AI Workbench from a project
To restrict access to Vertex AI Workbench from a project, edit the
GDCHRestrictedServices organization policy by adding kinds and apiGroups
for the project namespace.
In the following example of the GDCHRestrictedServices organization
policy, add the last two lines beneath the project namespace to revoke access to
Vertex AI Workbench from that project.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: restrict-notebook-for-organization
spec:
match:
scope: "Namespaced"
namespaces: [PROJECT_NAMESPACE]
kinds:
- apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]
You might need to add the following line to your GDCHRestrictedServices
organization policy to identify your project. Replace
PROJECT_NAMESPACE with the project name.
namespaces: [PROJECT_NAMESPACE]
To learn more about organization policies and how to edit the
GDCHRestrictedService organization policy, see
Define the scope of an organization policy within a cluster.
Grant your organization access to Vertex AI Workbench
By default, an organization has permissions to access the
Vertex AI Workbench. If permissions to access the
Vertex AI Workbench are revoked from an
organization, they can be reinstated. To reinstate
permissions to access the Vertex AI Workbench for all projects in
your organization, identify the GDCHRestrictedServices custom resource in your
org admin cluster with the following two lines:
apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]
If these two lines are the only content in the spec.match.kinds field of the
GDCHRestrictedService resource, delete the GDCHRestrictedService resource to
reinstate the Vertex AI Workbench service for all projects in your
organization. If there are other restricted services in the
GDCHRestrictedService resource like in the following example, remove the two
lines to reinstate the Vertex AI Workbench service for all of the
projects in your organization.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
name: restrict-notebook-for-organization
spec:
match:
scope: "Namespaced"
kinds:
- apiGroups: ["marketplace.gdc.goog"]
kinds: ["MarketplaceService"]
- apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]
To learn more about organization policies and how to edit the
GDCHRestrictedService organization policy, see
Define the scope of an organization policy within a cluster.