To use the generative AI features on Vertex AI, you must grant the appropriate IAM roles to principals, such as users, groups, and service accounts. You can grant a broad, predefined role or create a custom role with a specific set of permissions. This page describes the different ways to grant access to generative AI features: Vertex AI offers predefined roles for common use cases and the ability to create custom roles for more granular control. The following table compares these options to help you choose the right role for your principals. To give principals access to generative AI features on Vertex AI, you can grant one of the following predefined roles: To learn more about Vertex AI IAM roles, see
Vertex AI access control with IAM. The following table maps generative AI operations to the permissions required
for the operation. If you need fine-grained access control, you can refer to
these mappings to create custom roles. To learn more about Vertex AI IAM permissions, see
IAM permissions.
Choosing a role
Role
Description
Pros
Cons
Best for
Vertex AI Administrator
(roles/aiplatform.admin
)Grants full access to all Vertex AI resources, including generative AI features.
Simple to manage; provides comprehensive permissions.
Violates the principle of least privilege; grants excessive permissions if a user only needs specific features.
Administrators who need to manage all aspects of Vertex AI.
Vertex AI User
(roles/aiplatform.user
)Grants permissions to use Vertex AI resources, including making predictions and managing jobs.
Good balance for developers and data scientists who actively use the platform.
May still grant more permissions than necessary for specific, limited tasks.
Users who need to develop, train, and deploy models.
Custom Role
A role you create by combining specific permissions from the permissions list.
Follows the principle of least privilege; provides precise, fine-grained control.
Requires more effort to create and maintain.
Applications or users with specific, limited responsibilities, such as only making prediction calls.
Predefined roles
Permissions for custom roles
Operation
Permissions needed
Make prompt requests
aiplatform.endpoints.predict
Save, view, update, and delete prompts in Vertex AI Studio
aiplatform.datasets.create
aiplatform.datasets.update
aiplatform.datasets.delete
aiplatform.datasets.list
aiplatform.datasets.get
Model tuning
aiplatform.pipelineJobs.*
aiplatform.customJobs.*
aiplatform.datasets.export
aiplatform.datasets.get
aiplatform.models.upload
aiplatform.models.get
aiplatform.endpoints.create
aiplatform.endpoints.get
aiplatform.endpoints.deploy
aiplatform.metadataStores.get
storage.objects.create
storage.objects.update
storage.objects.get
storage.objects.list
What's next
Access control
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-15 UTC.