Sharing Models

Cloud Machine Learning Engine uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account. To share a model, you grant a role that gives access to your model and its versions.

This guide focuses on two predefined Cloud ML Engine roles that can be used to grant access to model resources:

  • Cloud ML Engine Model Owner
  • Cloud ML Engine Model User

For details on other roles, see the full explanation of all the IAM roles available for use with Cloud ML Engine.

Before you begin

Model roles

The Cloud ML Engine Model Owner and Model User roles grant varying permissions to a particular model resource.

You can share models with individuals or services by granting them the Model User role.

Role Title Role Name Capabilities
Cloud ML Engine Model Owner

roles/ml.modelOwner

Full access to the model and its versions. This role is automatically granted to the user who creates the model.

Cloud ML Engine Model User

roles/ml.modelUser

Permissions to read the model and its versions, and use them for prediction. Granting this role makes it easy to share specific models.

Sharing models

This example demonstrates how to edit an IAM policy for a particular model by granting the Model Owner or Model User roles to individuals and service accounts. You can edit the policy file using the API, gcloud, or the GCP Console.

Console

Share a model with a user or service account

  1. Open the Cloud ML Engine Models page.

    Open Cloud ML Engine models page

  2. Select the checkbox for each model you would like to share.

  3. Click the Show Info Panel button in the upper right corner to display the Permissions tab.

  4. In the Add Members field, add the Google account(s) for the user(s) you want to share the model with. For example, "email1@gmail.com".

  5. In the Select a role drop-down field, select the role you want to add for the user(s). To share a model resource, select ML Engine Model Owner or ML Engine Model User.

    If you are not sure which role to select, see more details on model roles.

  6. Click the Add button next to the Select a role drop-down field to finalize your role selections.

  7. The GCP Console page refreshes and displays the roles you have assigned in the Permissions tab with a list of members associated with the role.

To stop sharing a model with a user or service account, click the trash icon next to the account ID.

gcloud

Modifying a model policy by editing the policy file directly

You can use either JSON or YAML files with the gcloud commands. This example uses JSON.

  1. Get the policy that you want to modify, and write it to a JSON file.

    gcloud ml-engine models get-iam-policy <MODEL_NAME> --format json > iam.json
    
  2. Open the policy file (iam.json in this example), or run cat iam.json to see the policy. In the following example policy, the service account is assigned the Cloud ML Engine Model Owner role so that it has access to online prediction.

     {
        "bindings": [
        {
            "role": "roles/ml.modelOwner",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                "user:email1@gmail.com"
            ]
        }
        ],
        "etag": "BwVUJYGz8M4=",
     }
    
  3. Using a text editor, update your iam.json file as follows. Add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/ml.modelUser to the user email2@gmail.com, change the example shown above as follows:

     {
        "bindings": [
        {
            "role": "roles/ml.modelOwner",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                "user:email1@gmail.com"
            ]
        },
        {
            "role": "roles/ml.modelUser",
            "members": [
                "user:email2@gmail.com"
            ]
        }
        ],
        "etag": "BwVUJYGz8M4=",
     }
    
  4. Update the project's policy by running the following command:

    gcloud ml-engine models set-iam-policy <MODEL_NAME> iam.json
    
  5. The command outputs the updated policy in YAML:

    bindings:
    - members:
      - user:email1@gmail.com
      - serviceAccount:otherapp@appspot.gserviceaccount.com
      role: roles/ml.modelOwner
    - members:
      - user:email2@gmail.com
      role: roles/ml.modelUser
    etag: BwVUJYGz8M4=
    

Modifying a policy with policy binding commands

Use the add-iam-policy-binding and remove-iam-policy-binding commands to grant, revoke, and update access to models.

Share a model with a user

  1. Use the add-iam-policy-binding command to add a user to an existing Cloud ML Engine model policy as follows:

    gcloud ml-engine models add-iam-policy-binding <MODEL_NAME> \
        --member user:email3@gmail.com --role roles/ml.modelUser
    

    The command outputs the updated policy:

        bindings:
        - members:
          - user:email1@gmail.com
          - serviceAccount:otherapp@appspot.gserviceaccount.com
          role: roles/ml.modelOwner
        - members:
          - user:email2@gmail.com
          - user:email3@gmail.com
          role: roles/ml.modelUser
        etag: BwVUJYGz8M4=
    

Share a model with a service

  1. Use the add-iam-policy-binding command to add a service account to an existing Cloud ML Engine model policy as follows:

    gcloud ml-engine models add-iam-policy-binding <MODEL_NAME> \
        --member=serviceAccount:newserviceapp@appspot.gserviceaccount.com \
        --role=roles/ml.modelOwner
    

    The command outputs the updated policy:

      bindings:
      - members:
        - user:email1@gmail.com
        - serviceAccount:otherapp@appspot.gserviceaccount.com
        - serviceAccount:newserviceapp@appspot.gserviceaccount.com
        role: roles/ml.modelOwner
      - members:
        - user:email2@gmail.com
        - user:email3@gmail.com
        role: roles/ml.modelUser
      etag: BwVUJYGz8M4=
    

Stop sharing a model

  1. To stop sharing a model with a user or service, use the remove-iam-policy-binding command to remove the user or service from an existing Cloud ML Engine model policy. In this example, we remove the Model Owner email1@gmail.com from the model policy.

    gcloud ml-engine models remove-iam-policy-binding <MODEL_NAME> \
          --member=user:email1@gmail.com \
          --role=roles/ml.modelOwner
    

    The command outputs the updated policy:

      bindings:
      - members:
        - serviceAccount:otherapp@appspot.gserviceaccount.com
        - serviceAccount:newserviceapp@appspot.gserviceaccount.com
        role: roles/ml.modelOwner
      - members:
        - user:email2@gmail.com
        - user:email3@gmail.com
        role: roles/ml.modelUser
      etag: BwVUJYGz8M4=
    

API

Modifying policy via JSON API

  1. Get the existing policy by sending the following request:

    GET https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy
    

    The command returns the current policy in the response:

       {
          "bindings": [
          {
              "role": "roles/ml.modelOwner",
              "members": [
                  "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                  "user:email1@gmail.com"
              ]
          }
          ]
       }
    
  2. Once you have modified the policy, update it by sending the following request:

    POST https://ml.googleapis.com/v1/projects/<project>/models/<model>:setIamPolicy
    

    The command returns the updated policy in the response. In this example, we have added the user email2@gmail.com as a Model User:

        {
           "policy": {
               "bindings": [
               {
                   "role": "roles/ml.modelOwner",
                   "members": [
                       "serviceAccount:my-other-app@appspot.gserviceaccount.com",
                       "user:email1@gmail.com"
                   ]
               },
               {
                   "role": "roles/ml.modelUser",
                   "members": [
                       "user:email2@gmail.com"
                   ]
               }
               ]
           }
        }
    
  1. To get an access token:

    gcloud auth print-access-token
    
  2. When calling the API, pass the token value as a bearer token in an Authorization header:

    curl -s -H 'Authorization: Bearer <ACCESS_TOKEN>' \
        https://ml.googleapis.com/v1/projects/<project>/models/<model>:getIamPolicy
    

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud ML Engine for TensorFlow