You can control access to Vertex AI Feature Store (Legacy) resources by setting IAM policies at different levels of the resource hierarchy. For example:
A project-level policy IAM applies to all resources in a project. You can set a project-level policy to grant permissions to users to read all featurestores in your project.
A resource-level IAM policy lets you specify which users can access specific resources. For a subset of users, you can set a resource-level policy to grant write permissions to specific featurestores in your project.
You can set resource-level Identity and Access Management (IAM) policies on the following Vertex AI Feature Store (Legacy) resources:
Featurestore: When you set an Identity and Access Management policy on a featurestore, the policy applies to the featurestore and all entity types created in that featurestore.
Entity type: When you set an Identity and Access Management policy on an entity type, the policy applies only to the entity type and the featurestore where the entity type is created.
An IAM policy includes one or more role bindings that define which IAM roles are associated with which principals. A role is a collection of permissions that you grant to a principal. Vertex AI provides predefined roles that you can use in your policies. Or, you can create your own custom roles.
Considerations
You can't set conditional resource policies. For example, you can't create a
policy that grants access to any resource that has or will have a name starting
with a particular string like testing
.
Sample use case
As an example, imagine your organization has two sets of users. One set manages your core infrastructure in a DevOps admin role. Another set manages particular entity types and their features, such as a data engineer.
A DevOps admin manages featurestores and entity types at the project level. When data engineers request a new entity type, a DevOps admin can create and delegate ownership of that entity type to the data engineers. Data engineers can freely manage features in the entity types they own, but they can't operate on the featurestore or other entity types. This control, for example, lets DevOps admins limit access to entity types that contain sensitive information.
In this scenario, the DevOps admin has the aiplatform.featurestoreAdmin
role
at the project level. Then, when a data engineer requests a new entity type, the
administrator creates a new entity type and then assigns
the aiplatform.entityTypeOwner
role to the data engineer at the entity type
level (as a resource-level policy).
Get IAM policy
You can view the current IAM policy on a featurestore or entity type by using the Google Cloud console or API.
Web UI
- In the Vertex AI section of the Google Cloud console, go to the Features page.
- Select a region from the Region drop-down list.
- In the features table, select a featurestore or an entity type from the Featurestore or Entity type column.
- Click Permissions.
- To show resource-level permissions, turn off Show inherited
permissions.
Principals who have access to the selected resource are grouped by role.
- Expand a role to see which principals are assigned to that role.
REST
To get the IAM policy from a resource, send a POST request that
uses the getIamPolicy
method. The following example gets an
entity type policy.
Before using any of the request data, make the following replacements:
- LOCATION_ID: Region where the featurestore is located, such as
us-central1
. - PROJECT_ID: Your project ID.
- FEATURESTORE_ID: ID of the featurestore.
- ENTITY_TYPE_ID: ID of the entity type.
HTTP method and URL:
POST https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:getIamPolicy
To send your request, choose one of these options:
curl
Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:getIamPolicy"
PowerShell
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:getIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "version": 1, "etag": "BwXTmICm7mI", "bindings": [ { "role": "roles/aiplatform.entityTypeOwner", "members": [ "user:example@example.com" ] } ] }
Set an IAM policy
You can set an IAM policy on a featurestore or entity type.
Web UI
- In the Vertex AI section of the Google Cloud console, go to the Features page.
- Select a region from the Region drop-down list.
- In the features table, select a featurestore or an entity type from the Featurestore or Entity type column.
- Click Permissions.
- Click Add principal.
- Specify a principal and one or more roles to associate with the principal.
- Click Save.
REST
To set the IAM policy on a resource, send a POST request that
uses the setIamPolicy
method. The following example sets a
policy on an entity type.
Setting an IAM policy overrides any existing policy (changes are
not appended). If you want to modify a resource's existing policy, use the
getIamPolicy
method to get its existing policy and then make
modifications. Include your modified policy along with the etag
in
your setIamPolicy
request.
If you receive a 409
error code, there was a concurrent SetIamPolicy
request
that updated the policy. Make a GetIamPolicy
to get the policy's updated etag,
and then retry the SetIamPolicy
request by including the new etag.
Before using any of the request data, make the following replacements:
- LOCATION_ID: Region where the featurestore is located, such as
us-central1
. - PROJECT_ID: Your project ID.
- FEATURESTORE_ID: ID of the featurestore.
- ENTITY_TYPE_ID: ID of the entity type.
- ROLE: An IAM role that includes the permissions
to grant, such as
roles/aiplatform.featurestoreDataViewer
. - PRINCIPAL: The principal that is granted the role's
permissions, such as
user:myuser@example.com
. - ETAG: A string value that is used to prevent simultaneous
updates of a policy from overwriting each other. This value is returned as
part of the
getIamPolicy
response.
HTTP method and URL:
POST https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:setIamPolicy
Request JSON body:
{ "policy": { "bindings": [ { "role": "ROLE", "members": [ "PRINCIPAL" ] }, ... ], "etag": "ETAG" } }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "version": 1, "etag": "BwXTmICm7mI", "bindings": [ { "role": "roles/aiplatform.entityTypeOwner", "members": [ "user:user1@example.com" ] }, { "role": "roles/aiplatform.featurestoreDataViewer", "members": [ "user:user2@example.com", "user:user3@example.com" ] }, { "role": "roles/aiplatform.featurestoreDataWriter", "members": [ "user:user4@example.com", ] } ] }
Verify IAM permissions for a resource
You can verify whether the currently authenticated user has specific IAM permissions for a featurestore or entity type.
REST
To verify whether a user has specific IAM permissions for a resource,
send a POST request that uses the testIamPermissions
method.
The following example lets you test whether the currently authenticated user has a set of IAM
permissions for an entity type.
Before using any of the request data, make the following replacements:
- LOCATION_ID: Region where the featurestore is located, such as
us-central1
. - PROJECT_ID: Your project ID.
- FEATURESTORE_ID: ID of the featurestore.
- ENTITY_TYPE_ID: ID of the entity type.
HTTP method and URL:
POST https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:testIamPermissions -d
Request JSON body:
{ "permissions": [ "aiplatform.googleapis.com/entityTypes.get", "aiplatform.googleapis.com/entityTypes.readFeatureValues", "aiplatform.googleapis.com/entityTypes.writeFeatureValues" ] }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:testIamPermissions -d"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/featurestores/FEATURESTORE_ID/entityTypes/ENTITY_TYPE_ID:testIamPermissions -d" | Select-Object -Expand Content
{ "permissions": [ "aiplatform.googleapis.com/entityTypes.get", "aiplatform.googleapis.com/entityTypes.readFeatureValues", "aiplatform.googleapis.com/entityTypes.writeFeatureValues" ] }