Control access to Vertex AI Feature Store resources

To control access at the resource level, Vertex AI lets you set Identity and Access Management (IAM) policies on either a featurestore or entity type resource. You cannot set IAM policies on other Vertex AI Feature Store resources.

A resource-level policy lets you control who can access particular resources. In contrast, a project-level policy applies to all resources in a project. For example, you can grant all Vertex AI Feature Store users read permission to all featurestores by setting a project-level policy. For a subset of users, you grant write permissions to particular featurestores by using a resource-level policy.

An IAM policy includes one or more role bindings that define which IAM roles are associated with which principals. A role is a collection of permissions that you grant to a principal. Vertex AI provides predefined roles that you can use in your policies. Or, you can create your own custom roles.

Considerations

You cannot set conditional resource policies. For example, you can't create a policy that grants access to any resource that has or will have a name starting with a particular string like testing.

Sample use case

As an example, imagine your organization has two sets of users. One set manages your core infrastructure in a DevOps admin role. Another set manages particular entity types and their features, such as a data engineer.

A DevOps admin manages featurestores and entity types at the project level. When data engineers request a new entity type, a DevOps admin can create and delegate ownership of that entity type to the data engineers. Data engineers can freely manage features in the entity types they own, but they cannot operate on the featurestore or other entity types. This control, for example, lets DevOps admins limit access to entity types that contain sensitive information.

In this scenario, the DevOps admin has the aiplatform.featurestoreAdmin role at the project level. Then, when a data engineer requests a new entity type, the administrator creates a new entity type and then assigns the aiplatform.entityTypeOwner role to the data engineer at the entity type level (as a resource-level policy).

Get IAM policy

You can view the current IAM policy on a featurestore or entity type by using the Google Cloud console or API.

Web UI

  1. In the Vertex AI section of the Google Cloud console, go to the Features page.

    Go to the Features page

  2. Select a region from the Region drop-down list.
  3. In the features table, select a featurestore or an entity type from the Featurestore or Entity type column.
  4. Click Permissions.
  5. To show resource-level permissions, turn off Show inherited permissions.

    Principals who have access to the selected resource are grouped by role.

  6. Expand a role to see which principals are assigned to that role.

REST & CMD LINE

To get the IAM policy from a resource, send a POST request that uses the getIamPolicy method. The following example gets an entity type policy.

Before using any of the request data, make the following replacements:

  • LOCATION: Region where the featurestore is located, such as us-central1.
  • PROJECT: Your project ID.
  • FEATURESTORE_ID: ID of the featurestore.
  • ENTITY_TYPE_ID: ID of the entity type.

HTTP method and URL:

POST https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT/locations/LOCATION/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:getIamPolicy

To send your request, choose one of these options:

curl

Execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT/locations/LOCATION/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:getIamPolicy"

PowerShell

Execute the following command:

$cred = gcloud auth application-default print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT/locations/LOCATION/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:getIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwXTmICm7mI",
  "bindings": [
    {
      "role": "roles/aiplatform.entityTypeOwner",
      "members": [
        "user:example@example.com"
      ]
    }
  ]
}

Additional languages

You can install and use the following Vertex AI client libraries to call the Vertex AI API. Cloud Client Libraries provide an optimized developer experience by using each supported language's natural conventions and styles.

Set an IAM policy

You can set an IAM policy on a featurestore or entity type.

Web UI

  1. In the Vertex AI section of the Google Cloud console, go to the Features page.

    Go to the Features page

  2. Select a region from the Region drop-down list.
  3. In the features table, select a featurestore or an entity type from the Featurestore or Entity type column.
  4. Click Permissions.
  5. Click Add principal.
  6. Specify a principal and one or more roles to associate with the principal.
  7. Click Save.

REST & CMD LINE

To set the IAM policy on a resource, send a POST request that uses the setIamPolicy method. The following example sets a policy on an entity type.

Setting an IAM policy overrides any existing policy (changes are not appended). If you want to modify a resource's existing policy, use the getIamPolicy method to get its existing policy and then make modifications. Include your modified policy along with the etag in your setIamPolicy request.

If you receive a 409 error code, there was a concurrent SetIamPolicy request that updated the policy. Make a GetIamPolicy to get the policy's updated etag, and then retry the SetIamPolicy request by including the new etag.

Before using any of the request data, make the following replacements:

  • LOCATION: Region where the featurestore is located, such as us-central1.
  • PROJECT: Your project ID.
  • FEATURESTORE_ID: ID of the featurestore.
  • ENTITY_TYPE_ID: ID of the entity type.
  • ROLE: An IAM role that includes the permissions to grant, such as roles/aiplatform.featurestoreDataViewer.
  • PRINCIPAL: The principal that is granted the role's permissions, such as user:myuser@example.com.
  • ETAG: A string value that is used to prevent simultaneous updates of a policy from overwriting each other. This value is returned as part of the getIamPolicy response.

HTTP method and URL:

POST https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT/locations/LOCATION/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:setIamPolicy

Request JSON body:

{
  "policy": {
    "bindings": [
      {
        "role": "ROLE",
        "members": [
          "PRINCIPAL"
        ]
      },
      ...
    ],
    "etag": "ETAG"
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file called request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT/locations/LOCATION/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:setIamPolicy"

PowerShell

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth application-default print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION-aiplatform.googleapis.com/v1beta1/projects/PROJECT/locations/LOCATION/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwXTmICm7mI",
  "bindings": [
    {
      "role": "roles/aiplatform.entityTypeOwner",
      "members": [
        "user:user1@example.com"
      ]
    },
    {
      "role": "roles/aiplatform.featurestoreDataViewer",
      "members": [
        "user:user2@example.com",
        "user:user3@example.com"
      ]
    },
    {
      "role": "roles/aiplatform.featurestoreDataWriter",
      "members": [
        "user:user4@example.com",
      ]
    }
  ]
}

Additional languages

You can install and use the following Vertex AI client libraries to call the Vertex AI API. Cloud Client Libraries provide an optimized developer experience by using each supported language's natural conventions and styles.