Access control

To use the generative AI features on Vertex AI, the principals (for example, users, groups, and service accounts) in your project need to be granted the appropriate IAM role. You can also create custom roles to grant a user-defined set of permissions to a principal. This page shows you the applicable IAM roles to grant and the specific permissions needed for each operation so you can create custom roles.

Predefined roles

You can grant the users or groups in your project one of the following predefined roles to give them access to the generative AI features on Vertex AI:

To learn more about Vertex AI IAM roles, see Vertex AI access control with IAM.

Permissions

The following table maps generative AI operations to the permissions required for the operation. If you need fine-grained access control, you can refer to these mappings to create custom roles.

Operation	Permissions needed
Make prompt requests	`aiplatform.endpoints.predict`
Save, view, update, and delete prompts in Vertex AI Studio	`aiplatform.datasets.create` `aiplatform.datasets.update` `aiplatform.datasets.delete` `aiplatform.datasets.list` `aiplatform.datasets.get`
Model tuning	`aiplatform.pipelineJobs.` `aiplatform.customJobs.` `aiplatform.datasets.export` `aiplatform.datasets.get` `aiplatform.models.upload` `aiplatform.models.get` `aiplatform.endpoints.create` `aiplatform.endpoints.get` `aiplatform.endpoints.deploy` `aiplatform.metadataStores.get` `storage.objects.create` `storage.objects.update` `storage.objects.get` `storage.objects.list`

To learn more about Vertex AI IAM permissions, see IAM permissions.

What's next

Learn how to enable Data Access audit logs.
Learn more about access control with IAM.
Learn how to tune a foundation model.
Learn about responsible AI best practices and Vertex AI's safety filters.