Vertex AI Workbench uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.
There are different types of IAM roles that can be used in Vertex AI Workbench:
Predefined roles let you grant a set of related permissions to your Vertex AI Workbench resources at the project level.
Basic roles (Owner, Editor, and Viewer) provide access control to your Vertex AI Workbench resources at the project level, and are common to all Google Cloud services.
Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.
To add, update, or remove these roles in your Vertex AI Workbench project, see the documentation on granting, changing, and revoking access.
Predefined roles for Vertex AI Workbench
Vertex AI Workbench resources are managed through the Notebooks API. Therefore, Notebooks roles define permissions and access to the use of Vertex AI Workbench.
Role | Permissions |
---|---|
Notebooks Admin
Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
|
Notebooks Legacy Admin
Full access to Notebooks all resources through compute API. |
|
Notebooks Legacy Viewer
Read-only access to Notebooks all resources through compute API. |
|
Notebooks Runner
Restricted access for running scheduled Notebooks. |
|
Notebooks Viewer
Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
|
Basic roles
The older Google Cloud basic roles are common to all Google Cloud services. These roles are Owner, Editor, and Viewer.
The basic roles provide permissions across Google Cloud, not just for Vertex AI Workbench. For this reason, you should use Vertex AI Workbench roles whenever possible.
Custom roles
If the predefined IAM roles for Vertex AI Workbench don't meet your needs, you can define custom roles. Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization. For more information, see Understanding IAM custom roles.
About service accounts
A service account is an account for an application or compute workload instead of an individual end user. You can create and assign permissions to service accounts to provide specific permissions to a resource or application.
Service accounts are identified by an email address.
What's next
- Learn more about IAM.
- Learn how to create and manage custom IAM roles.