Control access to resources

You can set Identity and Access Management (IAM) policies to control access to the following Vertex AI Feature Store resources:

  • Feature groups (preview)

  • Online store instances

  • Feature views

An IAM policy is a collection of bindings, which associates one or more members, or principals, to an IAM role. You can include the following types of members in an IAM policy binding:

  • Individual user accounts

  • Google groups

  • Domains

  • Service accounts

Before you begin

Authenticate to Vertex AI, unless you've done so already.

To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

    Install the Google Cloud CLI, then initialize it by running the following command:

    gcloud init

For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Set an IAM policy for a feature group

Use the following sample to set an IAM policy for an existing feature group.

REST

To assign an IAM policy to a FeatureGroup resource, send a POST request by using the featureGroups.setIamPolicy method.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: Region where the online store instance is located, such as us-central1.
  • PROJECT_ID: Your project ID.
  • FEATUREGROUP_NAME: The name of the online store instance for which you want to set the IAM policy.
  • IAM_ROLE_NAME: The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM.
  • USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
  • GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
  • DOMAIN_NAME: Optional. The domain name to which the role is assigned.
  • SERVICE_ACCOUNT_EMAIL: Optional. The email address of the service account to which the role is assigned..

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureGroups/FEATUREGROUP_NAME:setIamPolicy

Request JSON body:

{
  "policy": {
    "bindings": [
      {
        "role": "IAM_ROLE_NAME",
        "members": [
          "user:USER_EMAIL",
          "group:GROUP_EMAIL",
          "domain:DOMAIN_NAME",
          "serviceAccount:SERVICE_ACCOUNT_EMAIL"
        ]
      }
    ]
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureGroups/FEATUREGROUP_NAME:setIamPolicy"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureGroups/FEATUREGROUP_NAME:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "bindings": [
  {
    "role": "IAM_ROLE_NAME",
    "members": [
      "user:USER_EMAIL",
      "group:GROUP_EMAIL",
      "domain:DOMAIN_NAME",
      "serviceAccount:SERVICE_ACCOUNT_EMAIL"
    ]
  }
  ],
  "etag": "etag"
}

Set an IAM policy for an online store

Use the following sample to set an IAM policy for an existing online store instance.

REST

To assign an IAM policy to a FeatureOnlineStore resource, send a POST request by using the featureOnlineStores.setIamPolicy method.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: Region where the online store instance is located, such as us-central1.
  • PROJECT_ID: Your project ID.
  • FEATUREONLINESTORE_NAME: The name of the online store instance for which you want to set the IAM policy.
  • IAM_ROLE_NAME: The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM.
  • USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
  • GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
  • DOMAIN_NAME: Optional. The domain name to which the role is assigned.
  • SERVICE_ACCOUNT_EMAIL: Optional.The email address of the service account to which the role is assigned..

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy

Request JSON body:

{
  "policy": {
    "bindings": [
      {
        "role": "IAM_ROLE_NAME",
        "members": [
          "user:USER_EMAIL",
          "group:GROUP_EMAIL",
          "domain:DOMAIN_NAME",
          "serviceAccount:SERVICE_ACCOUNT_EMAIL"
        ]
      }
    ]
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "bindings": [
  {
    "role": "IAM_ROLE_NAME",
    "members": [
      "user:USER_EMAIL",
      "group:GROUP_EMAIL",
      "domain:DOMAIN_NAME",
      "serviceAccount:SERVICE_ACCOUNT_EMAIL"
    ]
  }
  ],
  "etag": "etag"
}

Set an IAM policy for a feature view

Use the following sample to set an IAM policy for an existing feature view.

REST

To assign an IAM policy to a FeatureView resource, send a POST request by using the featureViews.setIamPolicy method.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: Region where the feature view is located, such as us-central1.
  • PROJECT_ID: Your project ID.
  • FEATUREONLINESTORE_NAME: The name of the online store instance containing the feature view.
  • FEATUREVIEW_NAME: The name of the feature view for which you want to set the IAM policy.
  • IAM_ROLE_NAME: The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM.
  • USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
  • GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
  • DOMAIN_NAME: Optional. The domain name to which the role is assigned.
  • SERVICE_ACCOUNT_EMAIL: Optional.The email address of the service account to which the role is assigned..

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy

Request JSON body:

{
  "policy": {
    "bindings": [
      {
        "role": "IAM_ROLE_NAME",
        "members": [
          "user:USER_EMAIL",
          "group:GROUP_EMAIL",
          "domain:DOMAIN_NAME",
          "serviceAccount:SERVICE_ACCOUNT_EMAIL"
        ]
      }
    ]
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "bindings": [
  {
    "role": "IAM_ROLE_NAME",
    "members": [
      "user:USER_EMAIL",
      "group:GROUP_EMAIL",
      "domain:DOMAIN_NAME",
      "serviceAccount:SERVICE_ACCOUNT_EMAIL"
    ]
  }
  ],
  "etag": "etag"
}

What's next