Manage access using IAM roles

This page describes how to grant and revoke access to Notebooks resources. This page focuses on Notebooks roles only. For information on how to grant and revoke access to resources using other roles, see Granting, changing, and revoking access to resources.

Before you begin

Granting access

To grant roles to a principal (user, group, or service account), you can use the Google Cloud Console or the gcloud command-line tool.

Cloud Console

Complete the following steps in the Cloud Console.

  1. Open the IAM & Admin page in the Cloud Console.

    Open the IAM & Admin page

  2. To choose a project, click Select, select the project that you want, and click Open.

  3. Identify the principal to which you want to add a role.

    • If the principal isn't already on the principals list, it doesn't have any roles assigned to it. Click Add and enter the identifier of the principal. For example, alice@example.com.
    • If the principal is already on the principals list, it has existing roles. To edit the principal's roles, click the Edit button. Then click the Add another role button.
  4. Click the Select a role drop-down menu, and select AI Notebooks to show the available Notebooks IAM roles. These roles will restrict a principal's access to only the Notebooks resources within a project.

  5. Select a role.

  6. Click Save to apply the roles.

gcloud tool

Complete the following steps using the gcloud command-line tool.

To grant a role to a principal, run the gcloud tool's add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member PRINCIPAL_ID --role ROLE_NAME

Provide the following values:

  • PROJECT_ID: The ID of the project that you wish to grant access to.

  • PRINCIPAL_ID: An identifier for the principal (user, group, or service account) that needs access. For example: user:alice@example.com, group:admins@example.com, or serviceAccount:my-other-app@appspot.gserviceaccount.com.

  • ROLE_NAME: The name of the role. See the list of Notebooks IAM roles. These roles will restrict a principal's access to only the Notebooks resources within a project.

For example, to grant the roles/notebooks.viewer role to the user alice@example.com for the project my-project:

gcloud projects add-iam-policy-binding my-project \
    --member user:alice@example.com --role roles/notebooks.viewer

Revoking access

To revoke access, use one of the following methods:

Cloud Console

Complete the following steps in the Cloud Console.

  1. Open the IAM & Admin page in the Cloud Console.

    Open the IAM & Admin page

  2. To choose a project, click Select, select the project that you want, and click Open.

  3. Locate the principal for whom you want to revoke access, and then click the Edit button on the right.

  4. Click the Delete button for each role you want to revoke.

  5. Click Save.

gcloud tool

Complete the following steps using the gcloud command-line tool.

To revoke a role from a principal, run the gcloud tool's remove-iam-policy-binding command:

gcloud projects remove-iam-policy-binding PROJECT_ID \
    --member PRINCIPAL_ID --role ROLE_NAME

Provide the following values:

  • PROJECT_ID: The project ID.

  • PRINCIPAL_ID: An identifier for the principal (user, group, or service account). For example: user:alice@example.com, group:admins@example.com, or serviceAccount:my-other-app@appspot.gserviceaccount.com.

  • ROLE_NAME: The name of the role to revoke.

For example, to revoke the roles/notebooks.viewer role from the user alice@example.com for the project my-project:

gcloud projects remove-iam-policy-binding my-project \
    --member user:alice@example.com --role roles/notebooks.viewer

What's next