Sharing models

AI Platform Prediction uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account. To share a model, you grant a role that gives access to your model and its versions.

This guide focuses on two predefined AI Platform Prediction roles that can be used to grant access to model resources:

  • AI Platform Prediction Model Owner
  • AI Platform Prediction Model User

For details on other roles, see the full explanation of all the IAM roles available for use with AI Platform Prediction.

Before you begin

Model roles

The AI Platform Prediction Model Owner and Model User roles grant varying permissions to a particular model resource.

You can share models with individuals or services by granting them the Model User role.

Role Title Role Name Capabilities
AI Platform Prediction Model Owner

roles/ml.modelOwner

Full access to the model and its versions. This role is automatically granted to the user who creates the model.

AI Platform Prediction Model User

roles/ml.modelUser

Permissions to read the model and its versions, and use them for prediction. Granting this role makes it easy to share specific models.

Granting individuals and service accounts access to a model

This example demonstrates how to edit an IAM policy for a particular model by granting the Model Owner or Model User roles to individuals and service accounts. You can edit the policy file using the API, gcloud, or the Google Cloud console.

Console

Share a model with a user or service account

  1. Open the AI Platform Prediction Models page.

    Open AI Platform Prediction models page

  2. Select the checkbox for each model you would like to share.

  3. Click the Show Info Panel button in the upper right corner to display the Permissions tab.

  4. In the Add Members field, add the Google account(s) for the user(s) you want to share the model with. For example, "email1@gmail.com".

  5. In the Select a role drop-down field, select the role you want to add for the user(s). To share a model resource, select ML Engine Model Owner or ML Engine Model User.

    If you are not sure which role to select, see more details on model roles.

  6. Click the Add button next to the Select a role drop-down field to finalize your role selections.

  7. The Google Cloud console page refreshes and displays the roles you have assigned in the Permissions tab with a list of members associated with the role.

To stop sharing a model with a user or service account, click the trash icon next to the account ID.

gcloud

Modifying a model policy by editing the policy file directly

You can use either JSON or YAML files with the gcloud commands. This example uses JSON.

  1. Get the policy that you want to modify, and write it to a JSON file.

    gcloud ai-platform models get-iam-policy <MODEL_NAME> --format json > iam.json
    
  2. Open the policy file (iam.json in this example), or run cat iam.json to see the policy. In the following example policy, the service account is assigned the AI Platform Prediction Model Owner role so that it has access to online prediction.

     {
        "bindings": [
        {
            "role": "roles/ml.modelOwner",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                "user:email1@gmail.com"
            ]
        }
        ],
        "etag": "BwVUJYGz8M4=",
     }
    
  3. Using a text editor, update your iam.json file as follows. Add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/ml.modelUser to the user email2@gmail.com, change the example shown above as follows:

     {
        "bindings": [
        {
            "role": "roles/ml.modelOwner",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                "user:email1@gmail.com"
            ]
        },
        {
            "role": "roles/ml.modelUser",
            "members": [
                "user:email2@gmail.com"
            ]
        }
        ],
        "etag": "BwVUJYGz8M4=",
     }
    
  4. Update the project's policy by running the following command:

    gcloud ai-platform models set-iam-policy <MODEL_NAME> iam.json
    
  5. The command outputs the updated policy in YAML:

    bindings:
    - members:
      - user:email1@gmail.com
      - serviceAccount:otherapp@appspot.gserviceaccount.com
      role: roles/ml.modelOwner
    - members:
      - user:email2@gmail.com
      role: roles/ml.modelUser
    etag: BwVUJYGz8M4=
    

Modifying a policy with policy binding commands

Use the add-iam-policy-binding and remove-iam-policy-binding commands to grant, revoke, and update access to models.

Share a model with a user

  1. Use the add-iam-policy-binding command to add a user to an existing AI Platform Prediction model policy as follows:

    gcloud ai-platform models add-iam-policy-binding <MODEL_NAME> \
        --member user:email3@gmail.com --role roles/ml.modelUser
    

    The command outputs the updated policy:

        bindings:
        - members:
          - user:email1@gmail.com
          - serviceAccount:otherapp@appspot.gserviceaccount.com
          role: roles/ml.modelOwner
        - members:
          - user:email2@gmail.com
          - user:email3@gmail.com
          role: roles/ml.modelUser
        etag: BwVUJYGz8M4=
    

Share a model with a service

  1. Use the add-iam-policy-binding command to add a service account to an existing AI Platform Prediction model policy as follows:

    gcloud ai-platform models add-iam-policy-binding <MODEL_NAME> \
        --member=serviceAccount:newserviceapp@appspot.gserviceaccount.com \
        --role=roles/ml.modelOwner
    

    The command outputs the updated policy:

      bindings:
      - members:
        - user:email1@gmail.com
        - serviceAccount:otherapp@appspot.gserviceaccount.com
        - serviceAccount:newserviceapp@appspot.gserviceaccount.com
        role: roles/ml.modelOwner
      - members:
        - user:email2@gmail.com
        - user:email3@gmail.com
        role: roles/ml.modelUser
      etag: BwVUJYGz8M4=
    

Stop sharing a model

  1. To stop sharing a model with a user or service, use the remove-iam-policy-binding command to remove the user or service from an existing AI Platform Prediction model policy. In this example, we remove the Model Owner email1@gmail.com from the model policy.

    gcloud ai-platform models remove-iam-policy-binding <MODEL_NAME> \
          --member=user:email1@gmail.com \
          --role=roles/ml.modelOwner
    

    The command outputs the updated policy:

      bindings:
      - members:
        - serviceAccount:otherapp@appspot.gserviceaccount.com
        - serviceAccount:newserviceapp@appspot.gserviceaccount.com
        role: roles/ml.modelOwner
      - members:
        - user:email2@gmail.com
        - user:email3@gmail.com
        role: roles/ml.modelUser
      etag: BwVUJYGz8M4=
    

REST API

Modifying policy via JSON API

  1. Get the existing policy by sending the following request:

    GET https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy
    

    The command returns the current policy in the response:

       {
          "bindings": [
          {
              "role": "roles/ml.modelOwner",
              "members": [
                  "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                  "user:email1@gmail.com"
              ]
          }
          ]
       }
    
  2. Once you have modified the policy, update it by sending the following request:

    POST https://ml.googleapis.com/v1/projects/<project>/models/<model>:setIamPolicy
    

    The command returns the updated policy in the response. In this example, we have added the user email2@gmail.com as a Model User:

        {
           "policy": {
               "bindings": [
               {
                   "role": "roles/ml.modelOwner",
                   "members": [
                       "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                       "user:email1@gmail.com"
                   ]
               },
               {
                   "role": "roles/ml.modelUser",
                   "members": [
                       "user:email2@gmail.com"
                   ]
               }
               ]
           }
        }
    
  1. To get an access token:

    gcloud auth print-access-token
    
  2. When calling the API, pass the token value as a bearer token in an Authorization header:

    curl -s -H 'Authorization: Bearer <ACCESS_TOKEN>' \
        https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy