This page is for application developers within application operator groups who are responsible for integrating AI features into secure air-gapped applications. For more information, see Audiences for GDC air-gapped documentation.
GDC air-gapped uses IAM roles and permissions to manage access to resources at the organizational and project level. An IAM role is a collection of specific permissions mapped to actions on resources. A role is assigned by the organizational or project administrator to a user or service account.
You must request IAM roles and permissions before you can begin integrating Vertex AI features into your air-gapped applications:
To request organizational-level access: Contact your Organization IAM Admin. They grant roles and permissions for setting up Vertex AI within an organization and managing the lifecycle of projects that use AI services.
To request project-level access: Contact your Project IAM administrator to request project-specific roles and permissions. All Vertex AI roles must bind to the project namespace where you're using the service.
For details, see
Predefined roles at the organization level
The following table provides details about the permissions assigned to each predefined role:
| Role name | Kubernetes resource name | Permission description |
|---|---|---|
| AI Platform Admin | ai-platform-admin |
Grant permissions to manage AI services. |
| Project Creator | project-creator |
Create new projects. |
| User Cluster Admin | user-cluster-admin |
Create, update, and delete a Kubernetes cluster, and manage the cluster's lifecycle. |
Predefined roles at the project level
The following table provides details about the permissions assigned to each predefined role:
| Vertex AI service or model | Role name | Kubernetes resource name | Permission description |
|---|---|---|---|
| N/A | Project IAM Admin | project-iam-admin |
Manage the IAM allow policies of projects and create service accounts. |
| Online Prediction | Vertex AI Prediction User | vertex-ai-prediction-user |
Access the Online Prediction service to make requests to your model endpoint. |
| Optical Character Recognition (OCR) | AI OCR Developer | ai-ocr-developer |
Access the OCR service to detect text in images. |
| Speech-to-Text | AI Speech Chirp Developer | ai-speech-chirp-developer |
Access the Chirp model of the Speech-to-Text service to recognize speech and transcribe audio. |
| AI Speech Developer | ai-speech-developer |
Access the Speech-to-Text service to recognize speech and transcribe audio. | |
| Text Embedding | AI Text Embedding Developer | ai-text-embedding-developer |
Access the Text Embedding model to convert English natural language into numerical vectors. |
| AI Text Embedding Multilingual Developer | ai-text-embedding-multilingual-developer |
Access the Text Embedding Multilingual model to convert multilingual natural language into numerical vectors. | |
| Vertex AI Search | Discovery Engine Admin | vaisearch-admin |
Get full access to all Discovery Engine resources. |
| Discovery Engine Developer | vaisearch-developer |
Get read and write access to all Discovery Engine resources. | |
| Discovery Engine Reader | vaisearch-reader |
Get read access to all Discovery Engine resources. | |
| Vertex AI Translation | AI Translation Developer | ai-translation-developer |
Access the Vertex AI Translation service to translate text. |
| Vertex AI Workbench | GDC Restricted Service Policy Admin | gdchrestrictedservice-policy-admin |
Get full access to the GDCHRestrictedService policy type to control access to Vertex AI Workbench. |
| Workbench Notebooks Admin | workbench-notebooks-admin |
Get read and write access to all notebook resources within a project namespace. Create, update, and delete notebooks. |
|
| Workbench Notebooks Viewer | workbench-notebooks-viewer |
Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface. |