Access control with IAM

AI Platform Training uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.

There are three types of IAM roles that can be used in AI Platform Training:

  • Basic roles (Owner, Viewer, and Editor) are common to all Google Cloud services.

  • Predefined AI Platform Training roles give you fine-grained access control to your AI Platform Training resources at the project and model levels.

  • Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.

This guide focuses on predefined AI Platform Training roles, their typical usage, and associated permissions.

The guide focuses on roles and permissions that you need to access AI Platform Training resources. To learn more about the permissions that these resources themselves have to access other Google Cloud resources, read about the AI Platform Google-managed service account and custom service accounts.

Basic roles

The legacy AI Platform Training IAM roles are based on the basic roles that are common to all GCP services: Owner, Viewer, and Editor.

The legacy project Editor role is equivalent to the AI Platform Training Admin role.

The legacy project Viewer role grants the same permissions as the AI Platform Training Viewer role, plus access to send online prediction requests. The advantage to using the AI Platform Training Viewer role is that the user gets read-only access to AI Platform Training resources.

Predefined roles

Predefined roles grant a set of related permissions. AI Platform Training offers predefined roles for your project, and also for individual models, jobs, and operations.

To view a full list of permissions for each role, click on the name of the role.

Project roles

The AI Platform Training Admin, Developer, and Viewer roles grant varying levels of access to resources at the project level.

To add, update, or remove these roles in your AI Platform Training project, see the documentation on granting, changing, and revoking access.

Role Title Role Name Capabilities
AI Platform Training Admin

roles/ml.admin

Full control of AI Platform Training project, and its jobs, operations, models, and versions.

Note: The basic project Editor role is equivalent to roles/ml.admin.

AI Platform Training Developer

roles/ml.developer

Create training and prediction jobs, models and versions, and send online prediction requests.

AI Platform Training Viewer

roles/ml.viewer

Read-only access to AI Platform Training resources.

Job and operation roles

Similar to the Model Owner role, there are owner roles at the job and operation resource levels that are assigned automatically to the user who creates the job or operation. These roles allow the user full control of any job or operation they create. For more information, see the permissions for job and operation roles.

Permissions and roles

Refer to this section for a full list of permissions that are granted with each AI Platform Training predefined role. If these predefined roles do not meet your needs, use this section as a reference for creating your own custom roles.

Admin role

Role Name Description Permissions
roles/ml.admin AI Platform Training Admin

Full access to your AI Platform Training project, and its jobs, operations, models, and versions.

Note: Migrating to this role from the basic project Editor role is fairly simple. If you previously used the basic Editor role assigned at the project level, you can use this roles/ml.admin role to grant exactly the same set of permissions to the user.

  • resourcemanager.projects.get
  • ml.projects.getConfig
  • ml.jobs.create
  • ml.jobs.list
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.setIamPolicy
  • ml.jobs.cancel
  • ml.operations.list
  • ml.operations.get
  • ml.operations.cancel
  • ml.models.create
  • ml.models.list
  • ml.models.get
  • ml.models.setIamPolicy
  • ml.models.getIamPolicy
  • ml.models.predict
  • ml.models.delete
  • ml.models.update
  • ml.versions.create
  • ml.versions.list
  • ml.versions.get
  • ml.versions.predict
  • ml.versions.delete

Developer role

Role Name Description Permissions
roles/ml.developer

Access to create training and prediction jobs, models and versions, and send online prediction requests.

Note: A developer receives ml.jobs.cancel and ml.jobs.update permissions on all jobs they create, because creating a job automatically grants them the AI Platform Training Job Owner role.

Recommendation: Grant the developer read-only access to the AI Platform Training logs for troubleshooting purposes.

  • resourcemanager.projects.get
  • ml.projects.getConfig
  • ml.jobs.create
  • ml.jobs.list
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.operations.list
  • ml.operations.get
  • ml.models.create
  • ml.models.list
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.predict
  • ml.versions.list
  • ml.versions.get
  • ml.versions.predict

Viewer role

Role Name Description Permissions
roles/ml.viewer

Read-only access to AI Platform Training resources on a particular project.

Note: The legacy project Viewer role grants a user the same permissions as the roles/ml.viewer role, plus access to send online prediction requests.

  • resourcemanager.projects.get
  • ml.projects.getConfig
  • ml.jobs.list
  • ml.jobs.get
  • ml.operations.list
  • ml.operations.get
  • ml.models.list
  • ml.models.get
  • ml.versions.list
  • ml.versions.get

Job Owner role

Role Name Description Permissions
roles/ml.jobOwner

Full access to all permissions for a particular job resource. The Job Owner role is granted automatically to the user who creates that job.

For example, a user who has the AI Platform Training Developer role on a project can create jobs, list all jobs, and get all jobs in a given project. The Developer has access to cancel only the job(s) they have created.

  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.cancel

Operation Owner role

Role Name Description Permissions
roles/ml.operationOwner

Full access to all permissions for a particular operation resource. The Operation Owner role is granted to the user automatically on any operations that the user indirectly creates when creating a version or a model, so that the user always can get and cancel their own operations.

  • ml.operations.get
  • ml.operations.cancel

Permissions required for methods

For convenience, this section lists the permissions required to call each method in AI Platform Training:

Method Required Permission(s)
projects.getConfig ml.projects.getConfig
projects.jobs.cancel ml.jobs.cancel
projects.jobs.create ml.jobs.create
projects.jobs.get ml.jobs.get
projects.jobs.list ml.jobs.list
projects.operations.cancel ml.operations.cancel
projects.operations.get ml.operations.get
projects.operations.list ml.operations.list

What's next