This page describes how you use Identity and Access Management to control access to your AutoML Tables resources, including data sources and results destinations.
Overview of Identity and Access Management
When you use AutoML Tables, you can manage access to your resources with Identity and Access Management (IAM). IAM lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM permissions and roles for AutoML Tables. For a detailed description of IAM, see the IAM documentation.
IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (user) has what (role) type of
access for which resources by granting one or more roles to a user, giving
the user certain permissions. For example, you can grant the AutoML Viewer role
(roles.automl.viewer
) to a user, which allows the user to view resources in
the project. If that user needs to create or update resources, you can grant the
AutoML Editor role (roles.automl.editor
) instead.
Roles
AutoML Tables uses the AutoML API, which provides a set of predefined roles that help you control access to your AutoML resources.
You can also create your own custom roles, if the predefined roles do not provide the sets of permissions you need.
In addition, the older basic roles (Editor, Viewer, and Owner) are also available to you, although they do not provide the same fine-grained control as the AutoML roles. If possible, avoid using the basic roles; they provide access to resources across Google Cloud, rather than just for AutoML. Learn more about basic roles.
Predefined roles
This section summarizes the predefined roles provided by AutoML.
Role | Permissions |
---|---|
AutoML Admin Beta( Full access to all AutoML resources Lowest-level resources where you can grant this role:
|
|
AutoML Editor Beta( Editor of all AutoML resources Lowest-level resources where you can grant this role:
|
|
AutoML Predictor Beta( Predict using models Lowest-level resources where you can grant this role:
|
|
AutoML Viewer Beta( Viewer of all AutoML resources Lowest-level resources where you can grant this role:
|
|
Giving permissions to AutoML Tables in your home project
Sometimes you need to grant additional roles to a service account that AutoML Tables creates automatically. For example, when you use BigQuery external tables backed by Bigtable data sources, you need to grant additional roles to the automatically created service account, so that it has the required permissions to read and write data for BigQuery and Bigtable.
To grant additional roles to the automatically created service account for AutoML Tables in your home project:
Go to the IAM page of the Google Cloud console for your home project.
Select the Include Google-provided role grants checkbox in the upper righthand corner.
Click the pencil icon for the service account with the name
AutoML Service Agent
.Grant the required roles to the service account and save your changes.
Giving permissions to AutoML Tables in a different project
When you use data sources or destinations in a different project, you must give the AutoML Tables service account permissions in that project. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.
To add permissions to AutoML Tables in a different project:
Go to the IAM page of the Google Cloud console for your home project (the project where you are using AutoML Tables).
Select the Include Google-provided role grants checkbox in the upper righthand corner.
Find the service account with the name
AutoML Service Agent
and copy its email address (listed under Principal).Change projects to the project where you need to grant the permissions.
Click Add, and enter the email address in New principals.
Add all required roles and click Save.
Providing access to Google Sheets
If you use an external BigQuery data source backed by Google Sheets, you must share your sheet with the AutoML service account. The AutoML Tables service account is automatically created when you enable the AutoML Tables API.
To authorize AutoML Tables to access your Sheets file:
Go to the IAM page of the Google Cloud console.
Select the Include Google-provided role grants checkbox in the upper righthand corner.
Look for the service account with the name
AutoML Service Agent
.Copy the Principal name to your clipboard.
The Principal name is an email address, similar to this example:
service-358517216@gcp-sa-automl.iam.gserviceaccount.com
Open your Sheets file and share it with that address.
Managing IAM roles
You can grant, change, and revoke IAM roles using the
Google Cloud console, the IAM API, or the gcloud
command-line
tool. For detailed instructions, see
Granting, changing, and revoking access.
What's next
Learn more about Identity and Access Management.