User-managed notebooks instances have a specific set of Identity and Access Management (IAM) roles. Each predefined role contains a set of permissions.
You can use an IAM policy to grant a principal one or more IAM roles. Each IAM role contains permissions that grant the principal access to specific resources.
User-managed notebooks IAM permissions let you manage instances by using the Notebooks API, for example, you can create, delete, and modify user-managed notebooks instances. For information about configuring JupyterLab access, see Opening a notebook results in a 403 (Forbidden) error.
What is IAM?
Google Cloud offers IAM, which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only necessary access to your resources.
IAM lets you control who has what
permission to which resources by setting IAM policies.
IAM policies grant specific roles to a principal,
giving the principal specific permissions. For example, for a specific resource,
such as a Google Cloud project, you can assign the roles/notebooks.viewer
role to
a user to let that user view notebooks within that project.
For more information, see Identity and Access Management.
Access to the JupyterLab web interface of a user-managed notebooks instance
When you create a user-managed notebooks instance, user-managed notebooks, by default, grants a service account access to the JupyterLab web interface. To grant a user access to the JupyterLab web interface, you must grant the user access to the service account used by the user-managed notebooks instance. To troubleshoot problems with accessing the web interface, see the Vertex AI troubleshooting guide.
Learn more about service accounts and how to grant access to service accounts.
Predefined user-managed notebooks IAM roles
User-managed notebooks has predefined IAM roles that you can assign to principals. Each role contains a set of permissions that is suitable for a specific task. To grant permissions, you set policies that grant roles to a principal (user, group, or service account) of your project. With IAM, every API method in user-managed notebooks requires that the identity of the user making the API request has the appropriate permissions to use the resource.
In addition to basic roles (viewer, editor, owner) and custom roles, you can assign the following user-managed notebooks predefined roles to principals.
The following table describes the predefined user-managed notebooks
IAM roles,
as well as the permissions contained within each role. Each role contains a set
of permissions that is suitable for a specific task. For example,
the Notebooks Viewer (roles/notebooks.viewer
) role grants read-only access
to the specified resource.
Role | Permissions |
---|---|
Notebooks Admin
Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
|
Notebooks Legacy Admin
Full access to Notebooks all resources through compute API. |
|
Notebooks Legacy Viewer
Read-only access to Notebooks all resources through compute API. |
|
Notebooks Runner
Restricted access for running scheduled Notebooks. |
|
Notebooks Viewer
Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
|
What's next
- Learn more about IAM.
- Grant user-managed notebooks IAM roles to principals.
- Learn how to create and manage custom IAM roles.