IAM を使用したアクセス制御

このページでは、Identity and Access Management(IAM)を使用して、Vertex AI Agent Builder リソースに対する Discovery Engine API のアクセスと権限を制御する方法について説明します。

概要

Google Cloud には Cloud IAM 機能があります。これにより、特定の Google Cloud リソースに対するアクセス権を詳細に設定し、他のリソースへの不要なアクセスを防止できます。このページでは、Vertex AI Agent Builder の IAM のロールと権限について説明します。Google Cloud IAM の詳細な説明については、IAM のドキュメントをご覧ください。

Vertex AI Agent Builder には、Vertex AI Agent Builder リソースへのアクセスを制御できるように設計された一連の事前定義ロールが用意されています。事前定義ロールの中に必要な権限を付与するものがない場合は、独自にカスタムロールを作成することもできます。 また、以前からある基本ロール(編集者、閲覧者、オーナー)も引き続き使用できますが、Vertex AI Agent Builder のロールほど細かい制御はできません。特に、基本ロールでは Vertex AI Agent Builder だけではなく、Google Cloud 全体のリソースへのアクセス権が付与されます。詳細については、基本ロールのドキュメントをご覧ください。

事前定義ロール

Vertex AI Agent Builder には、プリンシパルにきめ細かい権限を付与するために使用できる事前定義ロールがいくつか用意されています。プリンシパルにロールを付与することで、プリンシパルが実行できるアクションを制御できます。プリンシパルは、個人、グループ、またはサービス アカウントのいずれかです。

複数のロールを同じプリンシパルに付与できます。また、プリンシパルに付与されているロールの変更は、変更する権限を持っていればいつでも行えます。

広範囲な役割には、より限定的に定義された役割が含まれます。たとえば、Discovery Engine 編集者のロールには、Discovery Engine 閲覧者のロールのすべての権限と、Discovery Engine 編集者のロールの追加権限が含まれています。同様に、ディスカバリー エンジン管理者のロールには、ディスカバリー エンジン編集者のロールのすべての権限と、追加の権限が含まれています。

基本ロール(オーナー、編集者、閲覧者)は、Google Cloud 全体に対する権限を付与します。 Vertex AI Agent Builder に固有のロールは、Vertex AI Agent Builder の権限のみを付与します。ただし、Google Cloud の一般的な使用に必要な次の Google Cloud 権限を除きます。

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • serviceusage.services.get

次の表に、Vertex AI Agent Builder IAM ロールと、各ロールのすべての権限の対応するリストを示します。

ロール 権限

roles/discoveryengine.admin)。

すべてのディスカバリー エンジン リソースに対する完全アクセス権を付与します。

discoveryengine.*

  • discoveryengine.aclConfigs.get
  • discoveryengine.aclConfigs.update
  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens
  • discoveryengine.answers.get
  • discoveryengine.branches.get
  • discoveryengine.branches.list
  • discoveryengine.cmekConfigs.get
  • discoveryengine.cmekConfigs.list
  • discoveryengine.cmekConfigs.update
  • discoveryengine.collections.delete
  • discoveryengine.collections.get
  • discoveryengine.collections.list
  • discoveryengine.completionConfigs.completeQuery
  • discoveryengine.completionConfigs.get
  • discoveryengine.completionConfigs.update
  • discoveryengine.controls.create
  • discoveryengine.controls.delete
  • discoveryengine.controls.get
  • discoveryengine.controls.list
  • discoveryengine.controls.update
  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update
  • discoveryengine.dataStores.completeQuery
  • discoveryengine.dataStores.create
  • discoveryengine.dataStores.delete
  • discoveryengine.dataStores.enrollSolutions
  • discoveryengine.dataStores.get
  • discoveryengine.dataStores.list
  • discoveryengine.dataStores.trainCustomModel
  • discoveryengine.dataStores.update
  • discoveryengine.documentProcessingConfigs.get
  • discoveryengine.documentProcessingConfigs.update
  • discoveryengine.documents.batchGetDocumentsMetadata
  • discoveryengine.documents.create
  • discoveryengine.documents.delete
  • discoveryengine.documents.get
  • discoveryengine.documents.import
  • discoveryengine.documents.list
  • discoveryengine.documents.purge
  • discoveryengine.documents.update
  • discoveryengine.engines.create
  • discoveryengine.engines.delete
  • discoveryengine.engines.get
  • discoveryengine.engines.list
  • discoveryengine.engines.pause
  • discoveryengine.engines.resume
  • discoveryengine.engines.tune
  • discoveryengine.engines.update
  • discoveryengine.evaluations.create
  • discoveryengine.evaluations.get
  • discoveryengine.evaluations.list
  • discoveryengine.groundingConfigs.check
  • discoveryengine.locations.estimateDataSize
  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update
  • discoveryengine.operations.get
  • discoveryengine.operations.list
  • discoveryengine.projects.get
  • discoveryengine.projects.provision
  • discoveryengine.projects.reportConsentChange
  • discoveryengine.rankingConfigs.rank
  • discoveryengine.sampleQueries.create
  • discoveryengine.sampleQueries.delete
  • discoveryengine.sampleQueries.get
  • discoveryengine.sampleQueries.import
  • discoveryengine.sampleQueries.list
  • discoveryengine.sampleQueries.update
  • discoveryengine.sampleQuerySets.create
  • discoveryengine.sampleQuerySets.delete
  • discoveryengine.sampleQuerySets.get
  • discoveryengine.sampleQuerySets.list
  • discoveryengine.sampleQuerySets.update
  • discoveryengine.schemas.create
  • discoveryengine.schemas.delete
  • discoveryengine.schemas.get
  • discoveryengine.schemas.list
  • discoveryengine.schemas.preview
  • discoveryengine.schemas.update
  • discoveryengine.schemas.validate
  • discoveryengine.servingConfigs.answer
  • discoveryengine.servingConfigs.create
  • discoveryengine.servingConfigs.delete
  • discoveryengine.servingConfigs.get
  • discoveryengine.servingConfigs.list
  • discoveryengine.servingConfigs.recommend
  • discoveryengine.servingConfigs.search
  • discoveryengine.servingConfigs.update
  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.update
  • discoveryengine.siteSearchEngines.batchVerifyTargetSites
  • discoveryengine.siteSearchEngines.disableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.enableAdvancedSiteSearch
  • discoveryengine.siteSearchEngines.fetchDomainVerificationStatus
  • discoveryengine.siteSearchEngines.get
  • discoveryengine.siteSearchEngines.recrawlUris
  • discoveryengine.suggestionDenyListEntries.import
  • discoveryengine.suggestionDenyListEntries.purge
  • discoveryengine.targetSites.batchCreate
  • discoveryengine.targetSites.create
  • discoveryengine.targetSites.delete
  • discoveryengine.targetSites.get
  • discoveryengine.targetSites.list
  • discoveryengine.targetSites.update
  • discoveryengine.userEvents.create
  • discoveryengine.userEvents.fetchStats
  • discoveryengine.userEvents.import
  • discoveryengine.userEvents.purge
  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

roles/discoveryengine.editor)。

すべてのディスカバリー エンジン リソースに対する読み取り / 書き込みアクセス権を付与します。

discoveryengine.aclConfigs.get

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.*

  • discoveryengine.conversations.converse
  • discoveryengine.conversations.create
  • discoveryengine.conversations.delete
  • discoveryengine.conversations.get
  • discoveryengine.conversations.list
  • discoveryengine.conversations.update

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.create

discoveryengine.documents.delete

discoveryengine.documents.get

discoveryengine.documents.import

discoveryengine.documents.list

discoveryengine.documents.update

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.engines.pause

discoveryengine.engines.resume

discoveryengine.engines.tune

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.models.*

  • discoveryengine.models.create
  • discoveryengine.models.delete
  • discoveryengine.models.get
  • discoveryengine.models.list
  • discoveryengine.models.pause
  • discoveryengine.models.resume
  • discoveryengine.models.tune
  • discoveryengine.models.update

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.*

  • discoveryengine.sampleQueries.create
  • discoveryengine.sampleQueries.delete
  • discoveryengine.sampleQueries.get
  • discoveryengine.sampleQueries.import
  • discoveryengine.sampleQueries.list
  • discoveryengine.sampleQueries.update

discoveryengine.sampleQuerySets.*

  • discoveryengine.sampleQuerySets.create
  • discoveryengine.sampleQuerySets.delete
  • discoveryengine.sampleQuerySets.get
  • discoveryengine.sampleQuerySets.list
  • discoveryengine.sampleQuerySets.update

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.*

  • discoveryengine.sessions.create
  • discoveryengine.sessions.delete
  • discoveryengine.sessions.get
  • discoveryengine.sessions.list
  • discoveryengine.sessions.update

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.create

discoveryengine.userEvents.fetchStats

discoveryengine.userEvents.import

discoveryengine.widgetConfigs.*

  • discoveryengine.widgetConfigs.get
  • discoveryengine.widgetConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

roles/discoveryengine.user

ディスカバリー エンジン リソースに対するユーザーレベルのアクセス権を付与します。

discoveryengine.answers.get

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.search

discoveryengine.sessions.get

roles/discoveryengine.viewer)。

すべてのディスカバリー エンジン リソースに対する読み取りアクセス権を付与します。

discoveryengine.aclConfigs.get

discoveryengine.analytics.*

  • discoveryengine.analytics.acquireDashboardSession
  • discoveryengine.analytics.refreshDashboardSessionTokens

discoveryengine.answers.get

discoveryengine.branches.*

  • discoveryengine.branches.get
  • discoveryengine.branches.list

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.completeQuery

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.converse

discoveryengine.conversations.get

discoveryengine.conversations.list

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.batchGetDocumentsMetadata

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.evaluations.get

discoveryengine.evaluations.list

discoveryengine.groundingConfigs.check

discoveryengine.models.get

discoveryengine.models.list

discoveryengine.operations.*

  • discoveryengine.operations.get
  • discoveryengine.operations.list

discoveryengine.projects.get

discoveryengine.rankingConfigs.rank

discoveryengine.sampleQueries.get

discoveryengine.sampleQueries.list

discoveryengine.sampleQuerySets.get

discoveryengine.sampleQuerySets.list

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.answer

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.sessions.get

discoveryengine.sessions.list

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.fetchStats

discoveryengine.widgetConfigs.get

resourcemanager.projects.get

resourcemanager.projects.list

Vertex AI Agent Builder IAM を管理する

IAM の許可ポリシーと IAM ロールは、Google Cloud コンソールを使用して取得、設定できます。詳細については、プロジェクト、フォルダ、組織へのアクセスを管理するをご覧ください。

次のステップ