Stay organized with collections
Save and categorize content based on your preferences.
This page outlines the Identity and Access Management (IAM) roles and permissions necessary for requesting resource access from your Organization and Project IAM administrators. You can use this information to make sure you have the appropriate access for developing applications with Vertex AI features in Google Distributed Cloud (GDC) air-gapped environments.
This page is for application developers within application operator groups who are responsible for integrating AI features into secure air-gapped applications. For more information, see Audiences for GDC air-gapped documentation.
GDC air-gapped uses IAM roles and permissions to manage access to resources at the organizational and project level. An IAM role is a collection of specific permissions mapped to actions on resources. A role is assigned by the organizational or project administrator to a user or service account.
You must request IAM roles and permissions before you can begin integrating Vertex AI features into your air-gapped applications:
To request organizational-level access: Contact your Organization IAM Admin. They grant roles and permissions for setting up Vertex AI within an organization and managing the lifecycle of projects that use AI services.
To request project-level access: Contact your Project IAM administrator to request project-specific roles and permissions. All Vertex AI roles must bind to the project namespace where you're using the service.
For details, see
Predefined roles at the organization level
The following table provides details about the permissions assigned to each
predefined role:
Role name
Kubernetes resource name
Permission description
AI Platform Admin
ai-platform-admin
Grant permissions to manage AI services.
Project Creator
project-creator
Create new projects.
User Cluster Admin
user-cluster-admin
Create, update, and delete a Kubernetes cluster, and manage the cluster's lifecycle.
Predefined roles at the project level
The following table provides details about the permissions assigned to each
predefined role:
Vertex AI service or model
Role name
Kubernetes resource name
Permission description
N/A
Project IAM Admin
project-iam-admin
Manage the IAM allow policies of projects and create service accounts.
Online Prediction
Vertex AI Prediction User
vertex-ai-prediction-user
Access the Online Prediction service to make requests to your model endpoint.
Optical Character Recognition (OCR)
AI OCR Developer
ai-ocr-developer
Access the OCR service to detect text in images.
Speech-to-Text
AI Speech Chirp Developer
ai-speech-chirp-developer
Access the Chirp model of the Speech-to-Text service to recognize speech and transcribe audio.
AI Speech Developer
ai-speech-developer
Access the Speech-to-Text service to recognize speech and transcribe audio.
Text Embedding
AI Text Embedding Developer
ai-text-embedding-developer
Access the Text Embedding model to convert English natural language into numerical vectors.
AI Text Embedding Multilingual Developer
ai-text-embedding-multilingual-developer
Access the Text Embedding Multilingual model to convert multilingual natural language into numerical vectors.
Vertex AI Search
Discovery Engine Admin
vaisearch-admin
Get full access to all Discovery Engine resources.
Discovery Engine Developer
vaisearch-developer
Get read and write access to all Discovery Engine resources.
Discovery Engine Reader
vaisearch-reader
Get read access to all Discovery Engine resources.
Vertex AI Translation
AI Translation Developer
ai-translation-developer
Access the Vertex AI Translation service to translate text.
Vertex AI Workbench
GDC Restricted Service Policy Admin
gdchrestrictedservice-policy-admin
Get full access to the GDCHRestrictedService policy type to control access to Vertex AI Workbench.
Workbench Notebooks Admin
workbench-notebooks-admin
Get read and write access to all notebook resources within a project namespace. Create, update, and delete notebooks.
Workbench Notebooks Viewer
workbench-notebooks-viewer
Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped uses Identity and Access Management (IAM) to control access to Vertex AI services, adhering to the principle of least privilege.\u003c/p\u003e\n"],["\u003cp\u003eIAM roles, which are sets of permissions for specific actions, must be assigned to users, groups, or service accounts to enable the use of Vertex AI services.\u003c/p\u003e\n"],["\u003cp\u003ePredefined roles at both the organization and project levels dictate the permissions granted to users, and appropriate admin permissions need to be requested to utilize the services.\u003c/p\u003e\n"],["\u003cp\u003eThere are specific Vertex AI service roles detailed on the page, each linked to a Kubernetes resource name and a description of the access it provides.\u003c/p\u003e\n"],["\u003cp\u003eIf a user cannot access or use a Vertex AI service, they must request the necessary roles from their Project or Organization IAM Admin.\u003c/p\u003e\n"]]],[],null,["# Prepare IAM permissions\n\nThis page outlines the Identity and Access Management (IAM) roles and permissions necessary for requesting resource access from your Organization and Project IAM administrators. You can use this information to make sure you have the appropriate access for developing applications with Vertex AI features in Google Distributed Cloud (GDC) air-gapped environments.\n\n\u003cbr /\u003e\n\nThis page is for application developers within application operator groups who are responsible for integrating AI features into secure air-gapped applications. For more information, see [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nGDC air-gapped uses IAM roles and permissions to manage access to resources at the organizational and project level. An IAM role is a collection of specific permissions mapped to actions on resources. A role is assigned by the organizational or project administrator to a user or service account.\n\nYou must request IAM roles and permissions before you can begin integrating Vertex AI features into your air-gapped applications:\n\n- **To request organizational-level access**: Contact your Organization IAM Admin. They grant roles and permissions for setting up Vertex AI within an organization and managing the lifecycle of projects that use AI services.\n\n- **To request project-level access**: Contact your Project IAM administrator to request project-specific roles and permissions. All Vertex AI roles must bind to the project namespace where you're using the service.\n\nFor details, see\n| **Tip:** It's important to grant and request access using the [principle of least privilege](/distributed-cloud/hosted/docs/latest/gdch//resources/permissions#preinciple-of-least-privilege), to verify you have access to only the minimum necessary permissions for your task. This keeps your resources secure and protects it from unwanted access.\n\nPredefined roles at the organization level\n------------------------------------------\n\nThe following table provides details about the permissions assigned to each\npredefined role:\n\nPredefined roles at the project level\n-------------------------------------\n\nThe following table provides details about the permissions assigned to each\npredefined role:"]]
