Vertex AI access control with IAM

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to use Identity and Access Management (IAM) to manage access to Vertex AI resources. To manage access to Vertex AI Workbench resources, see the access control pages for managed notebooks or user-managed notebooks.

Vertex AI uses IAM to manage access to resources. You can manage access at the project level or resource level. To grant access to resources at the project level, assign one or more roles to a principal (user, group, or service account). To grant access to a specific resource, set an IAM policy on that resource; the resource must support resource-level policies. The policy defines which roles are assigned to which principals.

There are different types of IAM roles that can be used in Vertex AI:

  • Predefined roles let you grant a set of related permissions to your Vertex AI resources at the project level.

  • Basic roles (Owner, Editor, and Viewer) provide access control to your Vertex AI resources at the project level, and are common to all Google Cloud services.

  • Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.

To add, update, or remove these roles in your Vertex AI project, see the documentation on granting, changing, and revoking access.

Predefined roles for Vertex AI

Role Permissions

(roles/aiplatform.admin)

Grants full access to all resources in Vertex AI

Contains 3 owner permissions

aiplatform.*

  • aiplatform.annotationSpecs.create
  • aiplatform.annotationSpecs.delete
  • aiplatform.annotationSpecs.get
  • aiplatform.annotationSpecs.list
  • aiplatform.annotationSpecs.update
  • aiplatform.annotations.create
  • aiplatform.annotations.delete
  • aiplatform.annotations.get
  • aiplatform.annotations.list
  • aiplatform.annotations.update
  • aiplatform.artifacts.create
  • aiplatform.artifacts.delete
  • aiplatform.artifacts.get
  • aiplatform.artifacts.list
  • aiplatform.artifacts.update
  • aiplatform.batchPredictionJobs.cancel
  • aiplatform.batchPredictionJobs.create
  • aiplatform.batchPredictionJobs.delete
  • aiplatform.batchPredictionJobs.get
  • aiplatform.batchPredictionJobs.list
  • aiplatform.contexts.addContextArtifactsAndExecutions
  • aiplatform.contexts.addContextChildren
  • aiplatform.contexts.create
  • aiplatform.contexts.delete
  • aiplatform.contexts.get
  • aiplatform.contexts.list
  • aiplatform.contexts.queryContextLineageSubgraph
  • aiplatform.contexts.update
  • aiplatform.customJobs.cancel
  • aiplatform.customJobs.create
  • aiplatform.customJobs.delete
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list
  • aiplatform.dataItems.create
  • aiplatform.dataItems.delete
  • aiplatform.dataItems.get
  • aiplatform.dataItems.list
  • aiplatform.dataItems.update
  • aiplatform.dataLabelingJobs.cancel
  • aiplatform.dataLabelingJobs.create
  • aiplatform.dataLabelingJobs.delete
  • aiplatform.dataLabelingJobs.get
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.create
  • aiplatform.datasets.delete
  • aiplatform.datasets.export
  • aiplatform.datasets.get
  • aiplatform.datasets.import
  • aiplatform.datasets.list
  • aiplatform.datasets.update
  • aiplatform.deploymentResourcePools.create
  • aiplatform.deploymentResourcePools.delete
  • aiplatform.deploymentResourcePools.get
  • aiplatform.deploymentResourcePools.list
  • aiplatform.deploymentResourcePools.queryDeployedModels
  • aiplatform.deploymentResourcePools.update
  • aiplatform.edgeDeploymentJobs.create
  • aiplatform.edgeDeploymentJobs.delete
  • aiplatform.edgeDeploymentJobs.get
  • aiplatform.edgeDeploymentJobs.list
  • aiplatform.edgeDeviceDebugInfo.get
  • aiplatform.edgeDevices.create
  • aiplatform.edgeDevices.delete
  • aiplatform.edgeDevices.get
  • aiplatform.edgeDevices.list
  • aiplatform.edgeDevices.update
  • aiplatform.endpoints.create
  • aiplatform.endpoints.delete
  • aiplatform.endpoints.deploy
  • aiplatform.endpoints.explain
  • aiplatform.endpoints.get
  • aiplatform.endpoints.list
  • aiplatform.endpoints.predict
  • aiplatform.endpoints.undeploy
  • aiplatform.endpoints.update
  • aiplatform.entityTypes.create
  • aiplatform.entityTypes.delete
  • aiplatform.entityTypes.deleteFeatureValues
  • aiplatform.entityTypes.exportFeatureValues
  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.getIamPolicy
  • aiplatform.entityTypes.importFeatureValues
  • aiplatform.entityTypes.list
  • aiplatform.entityTypes.readFeatureValues
  • aiplatform.entityTypes.setIamPolicy
  • aiplatform.entityTypes.streamingReadFeatureValues
  • aiplatform.entityTypes.update
  • aiplatform.entityTypes.writeFeatureValues
  • aiplatform.executions.addExecutionEvents
  • aiplatform.executions.create
  • aiplatform.executions.delete
  • aiplatform.executions.get
  • aiplatform.executions.list
  • aiplatform.executions.queryExecutionInputsAndOutputs
  • aiplatform.executions.update
  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update
  • aiplatform.featurestores.batchReadFeatureValues
  • aiplatform.featurestores.create
  • aiplatform.featurestores.delete
  • aiplatform.featurestores.exportFeatures
  • aiplatform.featurestores.get
  • aiplatform.featurestores.getIamPolicy
  • aiplatform.featurestores.importFeatures
  • aiplatform.featurestores.list
  • aiplatform.featurestores.readFeatures
  • aiplatform.featurestores.setIamPolicy
  • aiplatform.featurestores.update
  • aiplatform.featurestores.writeFeatures
  • aiplatform.humanInTheLoops.cancel
  • aiplatform.humanInTheLoops.create
  • aiplatform.humanInTheLoops.delete
  • aiplatform.humanInTheLoops.get
  • aiplatform.humanInTheLoops.list
  • aiplatform.humanInTheLoops.queryAnnotationStats
  • aiplatform.humanInTheLoops.send
  • aiplatform.humanInTheLoops.update
  • aiplatform.hyperparameterTuningJobs.cancel
  • aiplatform.hyperparameterTuningJobs.create
  • aiplatform.hyperparameterTuningJobs.delete
  • aiplatform.hyperparameterTuningJobs.get
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.indexEndpoints.create
  • aiplatform.indexEndpoints.delete
  • aiplatform.indexEndpoints.deploy
  • aiplatform.indexEndpoints.get
  • aiplatform.indexEndpoints.list
  • aiplatform.indexEndpoints.queryVectors
  • aiplatform.indexEndpoints.undeploy
  • aiplatform.indexEndpoints.update
  • aiplatform.indexes.create
  • aiplatform.indexes.delete
  • aiplatform.indexes.get
  • aiplatform.indexes.list
  • aiplatform.indexes.update
  • aiplatform.locations.get
  • aiplatform.locations.list
  • aiplatform.metadataSchemas.create
  • aiplatform.metadataSchemas.delete
  • aiplatform.metadataSchemas.get
  • aiplatform.metadataSchemas.list
  • aiplatform.metadataStores.create
  • aiplatform.metadataStores.delete
  • aiplatform.metadataStores.get
  • aiplatform.metadataStores.list
  • aiplatform.migratableResources.migrate
  • aiplatform.migratableResources.search
  • aiplatform.modelDeploymentMonitoringJobs.create
  • aiplatform.modelDeploymentMonitoringJobs.delete
  • aiplatform.modelDeploymentMonitoringJobs.get
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelDeploymentMonitoringJobs.pause
  • aiplatform.modelDeploymentMonitoringJobs.resume
  • aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
  • aiplatform.modelDeploymentMonitoringJobs.update
  • aiplatform.modelEvaluationSlices.get
  • aiplatform.modelEvaluationSlices.list
  • aiplatform.modelEvaluations.exportEvaluatedDataItems
  • aiplatform.modelEvaluations.get
  • aiplatform.modelEvaluations.list
  • aiplatform.models.delete
  • aiplatform.models.export
  • aiplatform.models.get
  • aiplatform.models.list
  • aiplatform.models.update
  • aiplatform.models.upload
  • aiplatform.nasJobs.cancel
  • aiplatform.nasJobs.create
  • aiplatform.nasJobs.delete
  • aiplatform.nasJobs.get
  • aiplatform.nasJobs.list
  • aiplatform.nasTrialDetails.get
  • aiplatform.nasTrialDetails.list
  • aiplatform.operations.list
  • aiplatform.pipelineJobs.cancel
  • aiplatform.pipelineJobs.create
  • aiplatform.pipelineJobs.delete
  • aiplatform.pipelineJobs.get
  • aiplatform.pipelineJobs.list
  • aiplatform.specialistPools.create
  • aiplatform.specialistPools.delete
  • aiplatform.specialistPools.get
  • aiplatform.specialistPools.list
  • aiplatform.specialistPools.update
  • aiplatform.studies.create
  • aiplatform.studies.delete
  • aiplatform.studies.get
  • aiplatform.studies.list
  • aiplatform.studies.update
  • aiplatform.tensorboardExperiments.create
  • aiplatform.tensorboardExperiments.delete
  • aiplatform.tensorboardExperiments.get
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardExperiments.update
  • aiplatform.tensorboardExperiments.write
  • aiplatform.tensorboardRuns.batchCreate
  • aiplatform.tensorboardRuns.create
  • aiplatform.tensorboardRuns.delete
  • aiplatform.tensorboardRuns.get
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardRuns.update
  • aiplatform.tensorboardRuns.write
  • aiplatform.tensorboardTimeSeries.batchCreate
  • aiplatform.tensorboardTimeSeries.batchRead
  • aiplatform.tensorboardTimeSeries.create
  • aiplatform.tensorboardTimeSeries.delete
  • aiplatform.tensorboardTimeSeries.get
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboardTimeSeries.read
  • aiplatform.tensorboardTimeSeries.update
  • aiplatform.tensorboards.create
  • aiplatform.tensorboards.delete
  • aiplatform.tensorboards.get
  • aiplatform.tensorboards.list
  • aiplatform.tensorboards.recordAccess
  • aiplatform.tensorboards.update
  • aiplatform.trainingPipelines.cancel
  • aiplatform.trainingPipelines.create
  • aiplatform.trainingPipelines.delete
  • aiplatform.trainingPipelines.get
  • aiplatform.trainingPipelines.list
  • aiplatform.trials.create
  • aiplatform.trials.delete
  • aiplatform.trials.get
  • aiplatform.trials.list
  • aiplatform.trials.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.entityTypeOwner)

Provides full access to all permissions for a particular entity type resource.

Lowest-level resources where you can grant this role:

  • Entity type

Contains 1 owner permission

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.getIamPolicy

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.setIamPolicy

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.features.*

  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update

aiplatform.featurestores.batchReadFeatureValues

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreAdmin)

Grants full access to all resources in Vertex AI Feature Store

Lowest-level resources where you can grant this role:

  • Entity type

Contains 2 owner permissions

aiplatform.entityTypes.*

  • aiplatform.entityTypes.create
  • aiplatform.entityTypes.delete
  • aiplatform.entityTypes.deleteFeatureValues
  • aiplatform.entityTypes.exportFeatureValues
  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.getIamPolicy
  • aiplatform.entityTypes.importFeatureValues
  • aiplatform.entityTypes.list
  • aiplatform.entityTypes.readFeatureValues
  • aiplatform.entityTypes.setIamPolicy
  • aiplatform.entityTypes.streamingReadFeatureValues
  • aiplatform.entityTypes.update
  • aiplatform.entityTypes.writeFeatureValues

aiplatform.features.*

  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update

aiplatform.featurestores.*

  • aiplatform.featurestores.batchReadFeatureValues
  • aiplatform.featurestores.create
  • aiplatform.featurestores.delete
  • aiplatform.featurestores.exportFeatures
  • aiplatform.featurestores.get
  • aiplatform.featurestores.getIamPolicy
  • aiplatform.featurestores.importFeatures
  • aiplatform.featurestores.list
  • aiplatform.featurestores.readFeatures
  • aiplatform.featurestores.setIamPolicy
  • aiplatform.featurestores.update
  • aiplatform.featurestores.writeFeatures

aiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreDataViewer)

This role provides permissions to read Feature data.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.batchReadFeatureValues

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreDataWriter)

This role provides permissions to read and write Feature data.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.writeFeatureValues

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.batchReadFeatureValues

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreInstanceCreator)

Administrator of Featurestore resources, but not the child resources under Featurestores.

Lowest-level resources where you can grant this role:

  • Featurestore

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.get

aiplatform.featurestores.list

aiplatform.featurestores.update

(roles/aiplatform.featurestoreResourceViewer)

Viewer of all resources in Vertex AI Feature Store but cannot make changes.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.get

aiplatform.entityTypes.list

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.get

aiplatform.featurestores.list

aiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreUser)

Deprecated. Use featurestoreAdmin instead.

Contains 2 owner permissions

aiplatform.entityTypes.*

  • aiplatform.entityTypes.create
  • aiplatform.entityTypes.delete
  • aiplatform.entityTypes.deleteFeatureValues
  • aiplatform.entityTypes.exportFeatureValues
  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.getIamPolicy
  • aiplatform.entityTypes.importFeatureValues
  • aiplatform.entityTypes.list
  • aiplatform.entityTypes.readFeatureValues
  • aiplatform.entityTypes.setIamPolicy
  • aiplatform.entityTypes.streamingReadFeatureValues
  • aiplatform.entityTypes.update
  • aiplatform.entityTypes.writeFeatureValues

aiplatform.features.*

  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update

aiplatform.featurestores.*

  • aiplatform.featurestores.batchReadFeatureValues
  • aiplatform.featurestores.create
  • aiplatform.featurestores.delete
  • aiplatform.featurestores.exportFeatures
  • aiplatform.featurestores.get
  • aiplatform.featurestores.getIamPolicy
  • aiplatform.featurestores.importFeatures
  • aiplatform.featurestores.list
  • aiplatform.featurestores.readFeatures
  • aiplatform.featurestores.setIamPolicy
  • aiplatform.featurestores.update
  • aiplatform.featurestores.writeFeatures

aiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.migrator)

Grants access to use migration service in Vertex AI

aiplatform.migratableResources.*

  • aiplatform.migratableResources.migrate
  • aiplatform.migratableResources.search

(roles/aiplatform.tensorboardWebAppUser)

Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges.

Contains 1 owner permission

aiplatform.tensorboards.recordAccess

(roles/aiplatform.user)

Grants access to use all resource in Vertex AI

aiplatform.annotationSpecs.*

  • aiplatform.annotationSpecs.create
  • aiplatform.annotationSpecs.delete
  • aiplatform.annotationSpecs.get
  • aiplatform.annotationSpecs.list
  • aiplatform.annotationSpecs.update

aiplatform.annotations.*

  • aiplatform.annotations.create
  • aiplatform.annotations.delete
  • aiplatform.annotations.get
  • aiplatform.annotations.list
  • aiplatform.annotations.update

aiplatform.artifacts.*

  • aiplatform.artifacts.create
  • aiplatform.artifacts.delete
  • aiplatform.artifacts.get
  • aiplatform.artifacts.list
  • aiplatform.artifacts.update

aiplatform.batchPredictionJobs.*

  • aiplatform.batchPredictionJobs.cancel
  • aiplatform.batchPredictionJobs.create
  • aiplatform.batchPredictionJobs.delete
  • aiplatform.batchPredictionJobs.get
  • aiplatform.batchPredictionJobs.list

aiplatform.contexts.*

  • aiplatform.contexts.addContextArtifactsAndExecutions
  • aiplatform.contexts.addContextChildren
  • aiplatform.contexts.create
  • aiplatform.contexts.delete
  • aiplatform.contexts.get
  • aiplatform.contexts.list
  • aiplatform.contexts.queryContextLineageSubgraph
  • aiplatform.contexts.update

aiplatform.customJobs.*

  • aiplatform.customJobs.cancel
  • aiplatform.customJobs.create
  • aiplatform.customJobs.delete
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list

aiplatform.dataItems.*

  • aiplatform.dataItems.create
  • aiplatform.dataItems.delete
  • aiplatform.dataItems.get
  • aiplatform.dataItems.list
  • aiplatform.dataItems.update

aiplatform.dataLabelingJobs.*

  • aiplatform.dataLabelingJobs.cancel
  • aiplatform.dataLabelingJobs.create
  • aiplatform.dataLabelingJobs.delete
  • aiplatform.dataLabelingJobs.get
  • aiplatform.dataLabelingJobs.list

aiplatform.datasets.*

  • aiplatform.datasets.create
  • aiplatform.datasets.delete
  • aiplatform.datasets.export
  • aiplatform.datasets.get
  • aiplatform.datasets.import
  • aiplatform.datasets.list
  • aiplatform.datasets.update

aiplatform.deploymentResourcePools.*

  • aiplatform.deploymentResourcePools.create
  • aiplatform.deploymentResourcePools.delete
  • aiplatform.deploymentResourcePools.get
  • aiplatform.deploymentResourcePools.list
  • aiplatform.deploymentResourcePools.queryDeployedModels
  • aiplatform.deploymentResourcePools.update

aiplatform.edgeDeploymentJobs.*

  • aiplatform.edgeDeploymentJobs.create
  • aiplatform.edgeDeploymentJobs.delete
  • aiplatform.edgeDeploymentJobs.get
  • aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.*

  • aiplatform.edgeDevices.create
  • aiplatform.edgeDevices.delete
  • aiplatform.edgeDevices.get
  • aiplatform.edgeDevices.list
  • aiplatform.edgeDevices.update

aiplatform.endpoints.*

  • aiplatform.endpoints.create
  • aiplatform.endpoints.delete
  • aiplatform.endpoints.deploy
  • aiplatform.endpoints.explain
  • aiplatform.endpoints.get
  • aiplatform.endpoints.list
  • aiplatform.endpoints.predict
  • aiplatform.endpoints.undeploy
  • aiplatform.endpoints.update

aiplatform.entityTypes.create

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.list

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.executions.*

  • aiplatform.executions.addExecutionEvents
  • aiplatform.executions.create
  • aiplatform.executions.delete
  • aiplatform.executions.get
  • aiplatform.executions.list
  • aiplatform.executions.queryExecutionInputsAndOutputs
  • aiplatform.executions.update

aiplatform.features.*

  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update

aiplatform.featurestores.batchReadFeatureValues

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.exportFeatures

aiplatform.featurestores.get

aiplatform.featurestores.importFeatures

aiplatform.featurestores.list

aiplatform.featurestores.readFeatures

aiplatform.featurestores.update

aiplatform.featurestores.writeFeatures

aiplatform.humanInTheLoops.*

  • aiplatform.humanInTheLoops.cancel
  • aiplatform.humanInTheLoops.create
  • aiplatform.humanInTheLoops.delete
  • aiplatform.humanInTheLoops.get
  • aiplatform.humanInTheLoops.list
  • aiplatform.humanInTheLoops.queryAnnotationStats
  • aiplatform.humanInTheLoops.send
  • aiplatform.humanInTheLoops.update

aiplatform.hyperparameterTuningJobs.*

  • aiplatform.hyperparameterTuningJobs.cancel
  • aiplatform.hyperparameterTuningJobs.create
  • aiplatform.hyperparameterTuningJobs.delete
  • aiplatform.hyperparameterTuningJobs.get
  • aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.*

  • aiplatform.indexEndpoints.create
  • aiplatform.indexEndpoints.delete
  • aiplatform.indexEndpoints.deploy
  • aiplatform.indexEndpoints.get
  • aiplatform.indexEndpoints.list
  • aiplatform.indexEndpoints.queryVectors
  • aiplatform.indexEndpoints.undeploy
  • aiplatform.indexEndpoints.update

aiplatform.indexes.*

  • aiplatform.indexes.create
  • aiplatform.indexes.delete
  • aiplatform.indexes.get
  • aiplatform.indexes.list
  • aiplatform.indexes.update

aiplatform.locations.*

  • aiplatform.locations.get
  • aiplatform.locations.list

aiplatform.metadataSchemas.*

  • aiplatform.metadataSchemas.create
  • aiplatform.metadataSchemas.delete
  • aiplatform.metadataSchemas.get
  • aiplatform.metadataSchemas.list

aiplatform.metadataStores.*

  • aiplatform.metadataStores.create
  • aiplatform.metadataStores.delete
  • aiplatform.metadataStores.get
  • aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.*

  • aiplatform.modelDeploymentMonitoringJobs.create
  • aiplatform.modelDeploymentMonitoringJobs.delete
  • aiplatform.modelDeploymentMonitoringJobs.get
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelDeploymentMonitoringJobs.pause
  • aiplatform.modelDeploymentMonitoringJobs.resume
  • aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
  • aiplatform.modelDeploymentMonitoringJobs.update

aiplatform.modelEvaluationSlices.*

  • aiplatform.modelEvaluationSlices.get
  • aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.*

  • aiplatform.modelEvaluations.exportEvaluatedDataItems
  • aiplatform.modelEvaluations.get
  • aiplatform.modelEvaluations.list

aiplatform.models.*

  • aiplatform.models.delete
  • aiplatform.models.export
  • aiplatform.models.get
  • aiplatform.models.list
  • aiplatform.models.update
  • aiplatform.models.upload

aiplatform.nasJobs.*

  • aiplatform.nasJobs.cancel
  • aiplatform.nasJobs.create
  • aiplatform.nasJobs.delete
  • aiplatform.nasJobs.get
  • aiplatform.nasJobs.list

aiplatform.nasTrialDetails.*

  • aiplatform.nasTrialDetails.get
  • aiplatform.nasTrialDetails.list

aiplatform.operations.list

aiplatform.pipelineJobs.*

  • aiplatform.pipelineJobs.cancel
  • aiplatform.pipelineJobs.create
  • aiplatform.pipelineJobs.delete
  • aiplatform.pipelineJobs.get
  • aiplatform.pipelineJobs.list

aiplatform.specialistPools.*

  • aiplatform.specialistPools.create
  • aiplatform.specialistPools.delete
  • aiplatform.specialistPools.get
  • aiplatform.specialistPools.list
  • aiplatform.specialistPools.update

aiplatform.studies.*

  • aiplatform.studies.create
  • aiplatform.studies.delete
  • aiplatform.studies.get
  • aiplatform.studies.list
  • aiplatform.studies.update

aiplatform.tensorboardExperiments.*

  • aiplatform.tensorboardExperiments.create
  • aiplatform.tensorboardExperiments.delete
  • aiplatform.tensorboardExperiments.get
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardExperiments.update
  • aiplatform.tensorboardExperiments.write

aiplatform.tensorboardRuns.*

  • aiplatform.tensorboardRuns.batchCreate
  • aiplatform.tensorboardRuns.create
  • aiplatform.tensorboardRuns.delete
  • aiplatform.tensorboardRuns.get
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardRuns.update
  • aiplatform.tensorboardRuns.write

aiplatform.tensorboardTimeSeries.*

  • aiplatform.tensorboardTimeSeries.batchCreate
  • aiplatform.tensorboardTimeSeries.batchRead
  • aiplatform.tensorboardTimeSeries.create
  • aiplatform.tensorboardTimeSeries.delete
  • aiplatform.tensorboardTimeSeries.get
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboardTimeSeries.read
  • aiplatform.tensorboardTimeSeries.update

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

aiplatform.trainingPipelines.*

  • aiplatform.trainingPipelines.cancel
  • aiplatform.trainingPipelines.create
  • aiplatform.trainingPipelines.delete
  • aiplatform.trainingPipelines.get
  • aiplatform.trainingPipelines.list

aiplatform.trials.*

  • aiplatform.trials.create
  • aiplatform.trials.delete
  • aiplatform.trials.get
  • aiplatform.trials.list
  • aiplatform.trials.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.viewer)

Grants access to view all resource in Vertex AI

aiplatform.annotationSpecs.get

aiplatform.annotationSpecs.list

aiplatform.annotations.get

aiplatform.annotations.list

aiplatform.artifacts.get

aiplatform.artifacts.list

aiplatform.batchPredictionJobs.get

aiplatform.batchPredictionJobs.list

aiplatform.contexts.get

aiplatform.contexts.list

aiplatform.contexts.queryContextLineageSubgraph

aiplatform.customJobs.get

aiplatform.customJobs.list

aiplatform.dataItems.get

aiplatform.dataItems.list

aiplatform.dataLabelingJobs.get

aiplatform.dataLabelingJobs.list

aiplatform.datasets.get

aiplatform.datasets.list

aiplatform.deploymentResourcePools.get

aiplatform.deploymentResourcePools.list

aiplatform.deploymentResourcePools.queryDeployedModels

aiplatform.edgeDeploymentJobs.get

aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.get

aiplatform.edgeDevices.list

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.entityTypes.get

aiplatform.entityTypes.list

aiplatform.executions.get

aiplatform.executions.list

aiplatform.executions.queryExecutionInputsAndOutputs

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.get

aiplatform.featurestores.list

aiplatform.humanInTheLoops.get

aiplatform.humanInTheLoops.list

aiplatform.hyperparameterTuningJobs.get

aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.get

aiplatform.indexEndpoints.list

aiplatform.indexEndpoints.queryVectors

aiplatform.indexes.get

aiplatform.indexes.list

aiplatform.locations.*

  • aiplatform.locations.get
  • aiplatform.locations.list

aiplatform.metadataSchemas.get

aiplatform.metadataSchemas.list

aiplatform.metadataStores.get

aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.get

aiplatform.modelDeploymentMonitoringJobs.list

aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies

aiplatform.modelEvaluationSlices.*

  • aiplatform.modelEvaluationSlices.get
  • aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.get

aiplatform.modelEvaluations.list

aiplatform.models.get

aiplatform.models.list

aiplatform.nasJobs.get

aiplatform.nasJobs.list

aiplatform.nasTrialDetails.*

  • aiplatform.nasTrialDetails.get
  • aiplatform.nasTrialDetails.list

aiplatform.operations.list

aiplatform.pipelineJobs.get

aiplatform.pipelineJobs.list

aiplatform.specialistPools.get

aiplatform.specialistPools.list

aiplatform.specialistPools.update

aiplatform.studies.get

aiplatform.studies.list

aiplatform.tensorboardExperiments.get

aiplatform.tensorboardExperiments.list

aiplatform.tensorboardRuns.get

aiplatform.tensorboardRuns.list

aiplatform.tensorboardTimeSeries.batchRead

aiplatform.tensorboardTimeSeries.get

aiplatform.tensorboardTimeSeries.list

aiplatform.tensorboardTimeSeries.read

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.trainingPipelines.get

aiplatform.trainingPipelines.list

aiplatform.trials.get

aiplatform.trials.list

resourcemanager.projects.get

resourcemanager.projects.list

Basic roles

The older Google Cloud basic roles are common to all Google Cloud services. These roles are Owner, Editor, and Viewer.

The basic roles provide permissions across Google Cloud, not just for Vertex AI. For this reason, you should use Vertex AI roles whenever possible.

Custom roles

If the predefined IAM roles for Vertex AI don't meet your needs, you can define custom roles. Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization. For more information, see Understanding IAM custom roles.

Project-level versus resource-level policies

Setting a policy at the resource level doesn't affect project-level policies. A resource inherits all policies from its ancestry. You can use these two levels of granularity to customize permissions. For example, you can grant users read permissions at the project level so that they can read all resources in the project, and then you can grant users write permissions per resource (at the resource level).

Not all Vertex AI predefined roles and resources support resource-level policies. To see which roles can be used on which resources, view the descriptions for each role.

Supported resources

Vertex AI supports Vertex AI Feature Store featurestore and entity type resources. For more information, see Control access to Vertex AI Feature Store resources.

After granting or revoking access to a resource, those changes take time to propagate. For more information, see the IAM frequently asked questions.

About service accounts and service agents

Service accounts

A service account is a special account used by an application or a virtual machine (VM) instance, not a person. You can create and assign permissions to service accounts to provide specific permissions to a resource or application.

For information about using a service account to customize the permissions available to a custom training container or a container that serves online predictions for a custom-trained model, read Using a custom service account.

Service accounts are identified by an email address.

Service agents

Service agents are Google-managed service accounts that are automatically provided; they enable a service to access resources on your behalf. Vertex AI uses these service agents:

Name Used for Email address
Vertex AI Service Agent Vertex AI functionality service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com
Vertex AI Custom Code Service Agent Custom training code service-PROJECT_NUMBER@gcp-sa-aiplatform-cc.iam.gserviceaccount.com

The Vertex AI Custom Code Service Agent is created only if you run custom training code to train a custom-trained model.

When created, each service agent is granted one of the following predefined roles for your project. Each service agent is granted the role that matches its name.

Role Permissions

(roles/aiplatform.serviceAgent)

Gives Vertex AI the permissions it needs to function.

Contains 3 owner permissions

aiplatform.annotationSpecs.*

  • aiplatform.annotationSpecs.create
  • aiplatform.annotationSpecs.delete
  • aiplatform.annotationSpecs.get
  • aiplatform.annotationSpecs.list
  • aiplatform.annotationSpecs.update

aiplatform.annotations.*

  • aiplatform.annotations.create
  • aiplatform.annotations.delete
  • aiplatform.annotations.get
  • aiplatform.annotations.list
  • aiplatform.annotations.update

aiplatform.artifacts.*

  • aiplatform.artifacts.create
  • aiplatform.artifacts.delete
  • aiplatform.artifacts.get
  • aiplatform.artifacts.list
  • aiplatform.artifacts.update

aiplatform.batchPredictionJobs.*

  • aiplatform.batchPredictionJobs.cancel
  • aiplatform.batchPredictionJobs.create
  • aiplatform.batchPredictionJobs.delete
  • aiplatform.batchPredictionJobs.get
  • aiplatform.batchPredictionJobs.list

aiplatform.contexts.*

  • aiplatform.contexts.addContextArtifactsAndExecutions
  • aiplatform.contexts.addContextChildren
  • aiplatform.contexts.create
  • aiplatform.contexts.delete
  • aiplatform.contexts.get
  • aiplatform.contexts.list
  • aiplatform.contexts.queryContextLineageSubgraph
  • aiplatform.contexts.update

aiplatform.customJobs.*

  • aiplatform.customJobs.cancel
  • aiplatform.customJobs.create
  • aiplatform.customJobs.delete
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list

aiplatform.dataItems.*

  • aiplatform.dataItems.create
  • aiplatform.dataItems.delete
  • aiplatform.dataItems.get
  • aiplatform.dataItems.list
  • aiplatform.dataItems.update

aiplatform.dataLabelingJobs.*

  • aiplatform.dataLabelingJobs.cancel
  • aiplatform.dataLabelingJobs.create
  • aiplatform.dataLabelingJobs.delete
  • aiplatform.dataLabelingJobs.get
  • aiplatform.dataLabelingJobs.list

aiplatform.datasets.*

  • aiplatform.datasets.create
  • aiplatform.datasets.delete
  • aiplatform.datasets.export
  • aiplatform.datasets.get
  • aiplatform.datasets.import
  • aiplatform.datasets.list
  • aiplatform.datasets.update

aiplatform.deploymentResourcePools.*

  • aiplatform.deploymentResourcePools.create
  • aiplatform.deploymentResourcePools.delete
  • aiplatform.deploymentResourcePools.get
  • aiplatform.deploymentResourcePools.list
  • aiplatform.deploymentResourcePools.queryDeployedModels
  • aiplatform.deploymentResourcePools.update

aiplatform.edgeDeploymentJobs.*

  • aiplatform.edgeDeploymentJobs.create
  • aiplatform.edgeDeploymentJobs.delete
  • aiplatform.edgeDeploymentJobs.get
  • aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.*

  • aiplatform.edgeDevices.create
  • aiplatform.edgeDevices.delete
  • aiplatform.edgeDevices.get
  • aiplatform.edgeDevices.list
  • aiplatform.edgeDevices.update

aiplatform.endpoints.*

  • aiplatform.endpoints.create
  • aiplatform.endpoints.delete
  • aiplatform.endpoints.deploy
  • aiplatform.endpoints.explain
  • aiplatform.endpoints.get
  • aiplatform.endpoints.list
  • aiplatform.endpoints.predict
  • aiplatform.endpoints.undeploy
  • aiplatform.endpoints.update

aiplatform.entityTypes.create

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.list

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.executions.*

  • aiplatform.executions.addExecutionEvents
  • aiplatform.executions.create
  • aiplatform.executions.delete
  • aiplatform.executions.get
  • aiplatform.executions.list
  • aiplatform.executions.queryExecutionInputsAndOutputs
  • aiplatform.executions.update

aiplatform.features.*

  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update

aiplatform.featurestores.batchReadFeatureValues

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.exportFeatures

aiplatform.featurestores.get

aiplatform.featurestores.importFeatures

aiplatform.featurestores.list

aiplatform.featurestores.readFeatures

aiplatform.featurestores.update

aiplatform.featurestores.writeFeatures

aiplatform.humanInTheLoops.*

  • aiplatform.humanInTheLoops.cancel
  • aiplatform.humanInTheLoops.create
  • aiplatform.humanInTheLoops.delete
  • aiplatform.humanInTheLoops.get
  • aiplatform.humanInTheLoops.list
  • aiplatform.humanInTheLoops.queryAnnotationStats
  • aiplatform.humanInTheLoops.send
  • aiplatform.humanInTheLoops.update

aiplatform.hyperparameterTuningJobs.*

  • aiplatform.hyperparameterTuningJobs.cancel
  • aiplatform.hyperparameterTuningJobs.create
  • aiplatform.hyperparameterTuningJobs.delete
  • aiplatform.hyperparameterTuningJobs.get
  • aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.*

  • aiplatform.indexEndpoints.create
  • aiplatform.indexEndpoints.delete
  • aiplatform.indexEndpoints.deploy
  • aiplatform.indexEndpoints.get
  • aiplatform.indexEndpoints.list
  • aiplatform.indexEndpoints.queryVectors
  • aiplatform.indexEndpoints.undeploy
  • aiplatform.indexEndpoints.update

aiplatform.indexes.*

  • aiplatform.indexes.create
  • aiplatform.indexes.delete
  • aiplatform.indexes.get
  • aiplatform.indexes.list
  • aiplatform.indexes.update

aiplatform.locations.*

  • aiplatform.locations.get
  • aiplatform.locations.list

aiplatform.metadataSchemas.*

  • aiplatform.metadataSchemas.create
  • aiplatform.metadataSchemas.delete
  • aiplatform.metadataSchemas.get
  • aiplatform.metadataSchemas.list

aiplatform.metadataStores.*

  • aiplatform.metadataStores.create
  • aiplatform.metadataStores.delete
  • aiplatform.metadataStores.get
  • aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.*

  • aiplatform.modelDeploymentMonitoringJobs.create
  • aiplatform.modelDeploymentMonitoringJobs.delete
  • aiplatform.modelDeploymentMonitoringJobs.get
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelDeploymentMonitoringJobs.pause
  • aiplatform.modelDeploymentMonitoringJobs.resume
  • aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
  • aiplatform.modelDeploymentMonitoringJobs.update

aiplatform.modelEvaluationSlices.*

  • aiplatform.modelEvaluationSlices.get
  • aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.*

  • aiplatform.modelEvaluations.exportEvaluatedDataItems
  • aiplatform.modelEvaluations.get
  • aiplatform.modelEvaluations.list

aiplatform.models.*

  • aiplatform.models.delete
  • aiplatform.models.export
  • aiplatform.models.get
  • aiplatform.models.list
  • aiplatform.models.update
  • aiplatform.models.upload

aiplatform.nasJobs.*

  • aiplatform.nasJobs.cancel
  • aiplatform.nasJobs.create
  • aiplatform.nasJobs.delete
  • aiplatform.nasJobs.get
  • aiplatform.nasJobs.list

aiplatform.nasTrialDetails.*

  • aiplatform.nasTrialDetails.get
  • aiplatform.nasTrialDetails.list

aiplatform.operations.list

aiplatform.pipelineJobs.*

  • aiplatform.pipelineJobs.cancel
  • aiplatform.pipelineJobs.create
  • aiplatform.pipelineJobs.delete
  • aiplatform.pipelineJobs.get
  • aiplatform.pipelineJobs.list

aiplatform.specialistPools.*

  • aiplatform.specialistPools.create
  • aiplatform.specialistPools.delete
  • aiplatform.specialistPools.get
  • aiplatform.specialistPools.list
  • aiplatform.specialistPools.update

aiplatform.studies.*

  • aiplatform.studies.create
  • aiplatform.studies.delete
  • aiplatform.studies.get
  • aiplatform.studies.list
  • aiplatform.studies.update

aiplatform.tensorboardExperiments.*

  • aiplatform.tensorboardExperiments.create
  • aiplatform.tensorboardExperiments.delete
  • aiplatform.tensorboardExperiments.get
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardExperiments.update
  • aiplatform.tensorboardExperiments.write

aiplatform.tensorboardRuns.*

  • aiplatform.tensorboardRuns.batchCreate
  • aiplatform.tensorboardRuns.create
  • aiplatform.tensorboardRuns.delete
  • aiplatform.tensorboardRuns.get
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardRuns.update
  • aiplatform.tensorboardRuns.write

aiplatform.tensorboardTimeSeries.*

  • aiplatform.tensorboardTimeSeries.batchCreate
  • aiplatform.tensorboardTimeSeries.batchRead
  • aiplatform.tensorboardTimeSeries.create
  • aiplatform.tensorboardTimeSeries.delete
  • aiplatform.tensorboardTimeSeries.get
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboardTimeSeries.read
  • aiplatform.tensorboardTimeSeries.update

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

aiplatform.trainingPipelines.*

  • aiplatform.trainingPipelines.cancel
  • aiplatform.trainingPipelines.create
  • aiplatform.trainingPipelines.delete
  • aiplatform.trainingPipelines.get
  • aiplatform.trainingPipelines.list

aiplatform.trials.*

  • aiplatform.trials.create
  • aiplatform.trials.delete
  • aiplatform.trials.get
  • aiplatform.trials.list
  • aiplatform.trials.update

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.get

artifactregistry.versions.get

automl.datasets.export

automl.datasets.get

automl.datasets.list

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.tableSpecs.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.models.create

bigquery.models.export

bigquery.models.getData

bigquery.readsessions.create

bigquery.readsessions.getData

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.update

bigquery.tables.updateData

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.disks.create

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.machineTypes.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

dataflow.jobs.*

  • dataflow.jobs.cancel
  • dataflow.jobs.create
  • dataflow.jobs.get
  • dataflow.jobs.list
  • dataflow.jobs.snapshot
  • dataflow.jobs.updateContents

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

  • dataflow.snapshots.delete
  • dataflow.snapshots.get
  • dataflow.snapshots.list

datalabeling.annotateddatasets.get

datalabeling.datasets.export

datalabeling.datasets.get

datalabeling.datasets.list

datalabeling.operations.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

logging.logEntries.route

ml.models.list

ml.operations.get

ml.versions.get

ml.versions.list

monitoring.notificationChannels.get

notebooks.instances.create

notebooks.instances.delete

notebooks.instances.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/aiplatform.customCodeServiceAgent)

Gives Vertex AI Custom Code the proper permissions.

Contains 5 owner permissions

aiplatform.annotationSpecs.*

  • aiplatform.annotationSpecs.create
  • aiplatform.annotationSpecs.delete
  • aiplatform.annotationSpecs.get
  • aiplatform.annotationSpecs.list
  • aiplatform.annotationSpecs.update

aiplatform.annotations.*

  • aiplatform.annotations.create
  • aiplatform.annotations.delete
  • aiplatform.annotations.get
  • aiplatform.annotations.list
  • aiplatform.annotations.update

aiplatform.artifacts.*

  • aiplatform.artifacts.create
  • aiplatform.artifacts.delete
  • aiplatform.artifacts.get
  • aiplatform.artifacts.list
  • aiplatform.artifacts.update

aiplatform.batchPredictionJobs.*

  • aiplatform.batchPredictionJobs.cancel
  • aiplatform.batchPredictionJobs.create
  • aiplatform.batchPredictionJobs.delete
  • aiplatform.batchPredictionJobs.get
  • aiplatform.batchPredictionJobs.list

aiplatform.contexts.*

  • aiplatform.contexts.addContextArtifactsAndExecutions
  • aiplatform.contexts.addContextChildren
  • aiplatform.contexts.create
  • aiplatform.contexts.delete
  • aiplatform.contexts.get
  • aiplatform.contexts.list
  • aiplatform.contexts.queryContextLineageSubgraph
  • aiplatform.contexts.update

aiplatform.customJobs.*

  • aiplatform.customJobs.cancel
  • aiplatform.customJobs.create
  • aiplatform.customJobs.delete
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list

aiplatform.dataItems.*

  • aiplatform.dataItems.create
  • aiplatform.dataItems.delete
  • aiplatform.dataItems.get
  • aiplatform.dataItems.list
  • aiplatform.dataItems.update

aiplatform.dataLabelingJobs.*

  • aiplatform.dataLabelingJobs.cancel
  • aiplatform.dataLabelingJobs.create
  • aiplatform.dataLabelingJobs.delete
  • aiplatform.dataLabelingJobs.get
  • aiplatform.dataLabelingJobs.list

aiplatform.datasets.*

  • aiplatform.datasets.create
  • aiplatform.datasets.delete
  • aiplatform.datasets.export
  • aiplatform.datasets.get
  • aiplatform.datasets.import
  • aiplatform.datasets.list
  • aiplatform.datasets.update

aiplatform.deploymentResourcePools.*

  • aiplatform.deploymentResourcePools.create
  • aiplatform.deploymentResourcePools.delete
  • aiplatform.deploymentResourcePools.get
  • aiplatform.deploymentResourcePools.list
  • aiplatform.deploymentResourcePools.queryDeployedModels
  • aiplatform.deploymentResourcePools.update

aiplatform.edgeDeploymentJobs.*

  • aiplatform.edgeDeploymentJobs.create
  • aiplatform.edgeDeploymentJobs.delete
  • aiplatform.edgeDeploymentJobs.get
  • aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.*

  • aiplatform.edgeDevices.create
  • aiplatform.edgeDevices.delete
  • aiplatform.edgeDevices.get
  • aiplatform.edgeDevices.list
  • aiplatform.edgeDevices.update

aiplatform.endpoints.*

  • aiplatform.endpoints.create
  • aiplatform.endpoints.delete
  • aiplatform.endpoints.deploy
  • aiplatform.endpoints.explain
  • aiplatform.endpoints.get
  • aiplatform.endpoints.list
  • aiplatform.endpoints.predict
  • aiplatform.endpoints.undeploy
  • aiplatform.endpoints.update

aiplatform.entityTypes.create

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.list

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.executions.*

  • aiplatform.executions.addExecutionEvents
  • aiplatform.executions.create
  • aiplatform.executions.delete
  • aiplatform.executions.get
  • aiplatform.executions.list
  • aiplatform.executions.queryExecutionInputsAndOutputs
  • aiplatform.executions.update

aiplatform.features.*

  • aiplatform.features.create
  • aiplatform.features.delete
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.features.update

aiplatform.featurestores.batchReadFeatureValues

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.exportFeatures

aiplatform.featurestores.get

aiplatform.featurestores.importFeatures

aiplatform.featurestores.list

aiplatform.featurestores.readFeatures

aiplatform.featurestores.update

aiplatform.featurestores.writeFeatures

aiplatform.humanInTheLoops.*

  • aiplatform.humanInTheLoops.cancel
  • aiplatform.humanInTheLoops.create
  • aiplatform.humanInTheLoops.delete
  • aiplatform.humanInTheLoops.get
  • aiplatform.humanInTheLoops.list
  • aiplatform.humanInTheLoops.queryAnnotationStats
  • aiplatform.humanInTheLoops.send
  • aiplatform.humanInTheLoops.update

aiplatform.hyperparameterTuningJobs.*

  • aiplatform.hyperparameterTuningJobs.cancel
  • aiplatform.hyperparameterTuningJobs.create
  • aiplatform.hyperparameterTuningJobs.delete
  • aiplatform.hyperparameterTuningJobs.get
  • aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.*

  • aiplatform.indexEndpoints.create
  • aiplatform.indexEndpoints.delete
  • aiplatform.indexEndpoints.deploy
  • aiplatform.indexEndpoints.get
  • aiplatform.indexEndpoints.list
  • aiplatform.indexEndpoints.queryVectors
  • aiplatform.indexEndpoints.undeploy
  • aiplatform.indexEndpoints.update

aiplatform.indexes.*

  • aiplatform.indexes.create
  • aiplatform.indexes.delete
  • aiplatform.indexes.get
  • aiplatform.indexes.list
  • aiplatform.indexes.update

aiplatform.locations.*

  • aiplatform.locations.get
  • aiplatform.locations.list

aiplatform.metadataSchemas.*

  • aiplatform.metadataSchemas.create
  • aiplatform.metadataSchemas.delete
  • aiplatform.metadataSchemas.get
  • aiplatform.metadataSchemas.list

aiplatform.metadataStores.*

  • aiplatform.metadataStores.create
  • aiplatform.metadataStores.delete
  • aiplatform.metadataStores.get
  • aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.*

  • aiplatform.modelDeploymentMonitoringJobs.create
  • aiplatform.modelDeploymentMonitoringJobs.delete
  • aiplatform.modelDeploymentMonitoringJobs.get
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelDeploymentMonitoringJobs.pause
  • aiplatform.modelDeploymentMonitoringJobs.resume
  • aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
  • aiplatform.modelDeploymentMonitoringJobs.update

aiplatform.modelEvaluationSlices.*

  • aiplatform.modelEvaluationSlices.get
  • aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.*

  • aiplatform.modelEvaluations.exportEvaluatedDataItems
  • aiplatform.modelEvaluations.get
  • aiplatform.modelEvaluations.list

aiplatform.models.*

  • aiplatform.models.delete
  • aiplatform.models.export
  • aiplatform.models.get
  • aiplatform.models.list
  • aiplatform.models.update
  • aiplatform.models.upload

aiplatform.nasJobs.*

  • aiplatform.nasJobs.cancel
  • aiplatform.nasJobs.create
  • aiplatform.nasJobs.delete
  • aiplatform.nasJobs.get
  • aiplatform.nasJobs.list

aiplatform.nasTrialDetails.*

  • aiplatform.nasTrialDetails.get
  • aiplatform.nasTrialDetails.list

aiplatform.operations.list

aiplatform.pipelineJobs.*

  • aiplatform.pipelineJobs.cancel
  • aiplatform.pipelineJobs.create
  • aiplatform.pipelineJobs.delete
  • aiplatform.pipelineJobs.get
  • aiplatform.pipelineJobs.list

aiplatform.specialistPools.*

  • aiplatform.specialistPools.create
  • aiplatform.specialistPools.delete
  • aiplatform.specialistPools.get
  • aiplatform.specialistPools.list
  • aiplatform.specialistPools.update

aiplatform.studies.*

  • aiplatform.studies.create
  • aiplatform.studies.delete
  • aiplatform.studies.get
  • aiplatform.studies.list
  • aiplatform.studies.update

aiplatform.tensorboardExperiments.*

  • aiplatform.tensorboardExperiments.create
  • aiplatform.tensorboardExperiments.delete
  • aiplatform.tensorboardExperiments.get
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardExperiments.update
  • aiplatform.tensorboardExperiments.write

aiplatform.tensorboardRuns.*

  • aiplatform.tensorboardRuns.batchCreate
  • aiplatform.tensorboardRuns.create
  • aiplatform.tensorboardRuns.delete
  • aiplatform.tensorboardRuns.get
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardRuns.update
  • aiplatform.tensorboardRuns.write

aiplatform.tensorboardTimeSeries.*

  • aiplatform.tensorboardTimeSeries.batchCreate
  • aiplatform.tensorboardTimeSeries.batchRead
  • aiplatform.tensorboardTimeSeries.create
  • aiplatform.tensorboardTimeSeries.delete
  • aiplatform.tensorboardTimeSeries.get
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboardTimeSeries.read
  • aiplatform.tensorboardTimeSeries.update

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

aiplatform.trainingPipelines.*

  • aiplatform.trainingPipelines.cancel
  • aiplatform.trainingPipelines.create
  • aiplatform.trainingPipelines.delete
  • aiplatform.trainingPipelines.get
  • aiplatform.trainingPipelines.list

aiplatform.trials.*

  • aiplatform.trials.create
  • aiplatform.trials.delete
  • aiplatform.trials.get
  • aiplatform.trials.list
  • aiplatform.trials.update

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.tags.get

artifactregistry.versions.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.readsessions.create

bigquery.readsessions.getData

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.update

bigquery.tables.updateData

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

logging.logEntries.create

logging.logEntries.route

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Grant Vertex AI service agents access to other resources

Sometimes you need to grant additional roles to a Vertex AI service agent. For example, if you need Vertex AI to access a Cloud Storage bucket in a different project, you will need to grant one or more additional roles to the service agent.

Role addition requirements for BigQuery

The following table describes the required additional roles needed to be added to the Vertex AI Service Agent for BigQuery tables or view in a different project or backed by an external data source.

The term home project refers to the project where the Vertex AI dataset or model is located. The term different project refers to any other project.

Table type Table project Data source project Role addition required
Native BigQuery table Home project N/A None.
Native BigQuery table Different project N/A BigQuery Data Viewer for different project. Learn more.
BigQuery view Home project N/A None.
BigQuery view Different project N/A BigQuery Data Viewer for different project. Learn more.
External BigQuery data source backed by Bigtable Home project Home project Bigtable Reader for home project. Learn more.
External BigQuery data source backed by Bigtable Home project Different project Bigtable Reader for different project. Learn more.
External BigQuery data source backed by Bigtable Different project Different project BigQuery Reader and Bigtable Reader for different project. Learn more.
External BigQuery data source backed by Cloud Storage Home project Home project None.
External BigQuery data source backed by Cloud Storage Home project Different project Storage Object Viewer for different project. Learn more.
External BigQuery data source backed by Cloud Storage Different project Different project Storage Object Viewer and BigQuery Data Viewer for different project. Learn more.
External BigQuery data source backed by Google Sheets Home project N/A Share your Sheets file with the Vertex AI service account. Learn more.
External BigQuery data source backed by Google Sheets Different project N/A BigQuery Reader for different project and share your Sheets file with the Vertex AI service account.

Role addition requirements for Cloud Storage

If you are accessing data in a Cloud Storage bucket in a different project, you must give the Storage > Storage Object Viewer role to Vertex AI in that project. Learn more.

If you are using a Cloud Storage bucket to receive data from your local computer for an import operation, and the bucket is in a different project than Cloud project, you must give the Storage > Storage Object Creator role to Vertex AI in that project. Learn more.

Grant access to Vertex AI to resources in your home project

To grant additional roles to a service agent for Vertex AI in your home project:

  1. Go to the IAM page of the Google Cloud console for your home project.

    Go to the IAM page

  2. Select the Include Google-provided role grants checkbox.

  3. Determine the service agent you want to grant the permissions to and click the pencil icon.

    You can filter for Principal:@gcp-sa-aiplatform-cc.iam.gserviceaccount.com to find the Vertex AI service agents.

  4. Grant the required roles to the service account and save your changes.

Grant access to Vertex AI to resources in a different project

When you use data sources or destinations in a different project, you must give the Vertex AI service account permissions in that project. The Vertex AI service account is created after you start the first asynchronous job (for example, creating an endpoint). You can also explicitly create the Vertex AI service account by using gcloud CLI following these instructions. This gcloud command will create both the default service account and the custom code service account, though only the default service account will be returned in the response.

To add permissions to Vertex AI in a different project:

  1. Go to the IAM page of the Google Cloud console for your home project (the project where you are using Vertex AI).

    Go to the IAM page

  2. Select the Include Google-provided role grants checkbox.

  3. Determine the service agent you want to grant the permissions to and copy its email address (listed under Principal).

    You can filter for Principal:@gcp-sa-aiplatform-cc.iam.gserviceaccount.com to find the Vertex AI service agents.

  4. Change projects to the project where you need to grant the permissions.

  5. Click Add, and enter the email address in New principals.

  6. Add all required roles and click Save.

Provide access to Google Sheets

If you use an external BigQuery data source backed by Google Sheets, you must share your sheet with the Vertex AI service account. The Vertex AI service account is created after you start the first asynchronous job (for example, creating an endpoint). You can also explicitly create the Vertex AI service account by using gcloud CLI by following this instruction.

To authorize Vertex AI to access your Sheets file:

  1. Go to the IAM page of the Google Cloud console.

    Go to the IAM page

  2. Look for the service account with the name Vertex AI Service Agent and copy its email address (listed under Principal).

  3. Open your Sheets file and share it with that address.

What's next