Control access to online store resources

You can control access to online store instances and feature views by setting Identity and Access Management (IAM) policies for those resources. An IAM policy is a collection of bindings, which associates one or more members, or principals, to an IAM role. You can include the following types of members in an IAM policy binding:

  • Individual user accounts

  • Google groups

  • Domains

  • Service accounts

Before you begin

Authenticate to Vertex AI, unless you've done so already.

To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

    Install the Google Cloud CLI, then initialize it by running the following command:

    gcloud init

For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Set an IAM policy for an online store

Use the following sample to set an IAM policy for an existing online store instance.

REST

To assign an IAM policy to a FeatureOnlineStore resource, send a POST request by using the featureOnlineStores.setIamPolicy method.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: Region where the online store instance is located, such as us-central1.
  • PROJECT_ID: Your project ID.
  • FEATUREONLINESTORE_NAME: The name of the online store instance for which you want to set the IAM policy.
  • IAM_ROLE_NAME: The name of the IAM role to assign to the members, for example, aiplatform.featureOnlineStoreUser. For a complete list of IAM roles for Vertex AI, see [Access control with IAM](/vertex-ai/docs/general/access-control).
  • USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
  • GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
  • DOMAIN_NAME: Optional. The domain name to which the role is assigned.
  • SERVICE_ACCOUNT_EMAIL: Optional.The email address of the service account to which the role is assigned..

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy

Request JSON body:

{
  "policy": {
    "bindings": [
      {
        "role": "IAM_ROLE_NAME",
        "members": [
          "user:USER_EMAIL",
          "group:GROUP_EMAIL",
          "domain:DOMAIN_NAME",
          "serviceAccount:SERVICE_ACCOUNT_EMAIL"
        ]
      }
    ]
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "bindings": [
  {
    "role": "IAM_ROLE_NAME",
    "members": [
      "user:USER_EMAIL",
      "group:GROUP_EMAIL",
      "domain:DOMAIN_NAME",
      "serviceAccount:SERVICE_ACCOUNT_EMAIL"
    ]
  }
  ],
  "etag": "etag"
}

Set an IAM policy for a feature view

Use the following sample to set an IAM policy for an existing feature view.

REST

To assign an IAM policy to a FeatureView resource, send a POST request by using the featureViews.setIamPolicy method.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: Region where the feature view is located, such as us-central1.
  • PROJECT_ID: Your project ID.
  • FEATUREONLINESTORE_NAME: The name of the online store instance containing the feature view.
  • FEATUREVIEW_NAME: The name of the feature view for which you want to set the IAM policy.
  • IAM_ROLE_NAME: The name of the IAM role to assign to the members, for example, aiplatform.featureOnlineStoreUser. For a complete list of IAM roles for Vertex AI, see [Access control with IAM](/vertex-ai/docs/general/access-control).
  • USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
  • GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
  • DOMAIN_NAME: Optional. The domain name to which the role is assigned.
  • SERVICE_ACCOUNT_EMAIL: Optional.The email address of the service account to which the role is assigned..

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy

Request JSON body:

{
  "policy": {
    "bindings": [
      {
        "role": "IAM_ROLE_NAME",
        "members": [
          "user:USER_EMAIL",
          "group:GROUP_EMAIL",
          "domain:DOMAIN_NAME",
          "serviceAccount:SERVICE_ACCOUNT_EMAIL"
        ]
      }
    ]
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "bindings": [
  {
    "role": "IAM_ROLE_NAME",
    "members": [
      "user:USER_EMAIL",
      "group:GROUP_EMAIL",
      "domain:DOMAIN_NAME",
      "serviceAccount:SERVICE_ACCOUNT_EMAIL"
    ]
  }
  ],
  "etag": "etag"
}

What's next