Google Distributed Cloud (GDC) air-gapped offers Identity and Access Management (IAM) for granular access to specific Distributed Cloud resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and controls who can access given resources using IAM roles and permissions.
A role is a collection of specific permissions mapped to certain actions on resources and assigned to individual subjects, such as users, groups of users, or service accounts. Therefore, you must have the proper IAM roles and permissions to use Vertex AI services on Distributed Cloud.
This page describes all the roles and their respective permissions for using Vertex AI services.
Predefined roles at the organization level
Request the appropriate permissions from your Organization IAM Admin to set up Vertex AI in an organization and manage the lifecycle of a project that uses AI services.
To grant permissions or receive role access to resources at the organization level, see Grant and revoke access.
The following table provides details about the permissions assigned to each predefined role:
| Role name | Kubernetes resource name | Permission description |
|---|---|---|
| AI Platform Admin | ai-platform-admin |
Grant permissions to manage pre-trained services. |
| Project Creator | project-creator |
Create new projects. |
| User Cluster Admin | user-cluster-admin |
Create, update, and delete a Kubernetes cluster, and manage the cluster's lifecycle. |
Predefined roles at the project level
Request the appropriate permissions from your Project IAM Admin to use Vertex AI services in a project. All Vertex AI roles must bind to the project namespace where you are using the service.
To grant permissions or receive role access to resources at the project level, see Grant access to project resources.
The following table provides details about the permissions assigned to each predefined role:
| Vertex AI service | Role name | Kubernetes resource name | Permission description |
|---|---|---|---|
| N/A | Project IAM Admin | project-iam-admin |
Manage the IAM allow policies of projects and create service accounts. |
| Gemini Flash | AI Gemini Flash Developer | ai-gemini-flash-developer |
Access the Gemini Flash model service to make requests to the model endpoint. |
| Online Prediction | Vertex AI Prediction User | vertex-ai-prediction-user |
Access the Online Prediction service to make requests to your model endpoint. |
| Optical Character Recognition (OCR) | AI OCR Developer | ai-ocr-developer |
Access the OCR service to detect text in images. |
| Speech-to-Text | AI Speech Chirp Developer | ai-speech-chirp-developer |
Access the Chirp model of the Speech-to-Text service to recognize speech and transcribe audio. |
| AI Speech Developer | ai-speech-developer |
Access the Speech-to-Text service to recognize speech and transcribe audio. | |
| Text Embedding | AI Text Embedding Developer | ai-text-embedding-developer |
Access the Text Embedding service to convert English natural language into numerical vectors. |
| AI Text Embedding Multilingual Developer | ai-text-embedding-multilingual-developer |
Access the Text Embedding Multilingual service to convert multilingual natural language into numerical vectors. | |
| Vertex AI Search | Discovery Engine Admin | vaisearch-admin |
Get full access to all Discovery Engine resources. |
| Discovery Engine Developer | vaisearch-developer |
Get read and write access to all Discovery Engine resources. | |
| Discovery Engine Reader | vaisearch-reader |
Get read access to all Discovery Engine resources. | |
| Vertex AI Translation | AI Translation Developer | ai-translation-developer |
Access the Vertex AI Translation service to translate text. |
| Vertex AI Workbench | GDC Restricted Service Policy Admin | gdchrestrictedservice-policy-admin |
Get full access to the GDCHRestrictedService policy type to control access to Vertex AI Workbench. |
| Workbench Notebooks Admin | workbench-notebooks-admin |
Get read and write access to all notebook resources within a project namespace. Create, update, and delete notebooks. |
|
| Workbench Notebooks Viewer | workbench-notebooks-viewer |
Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface. |