Access control

To use the generative AI features on Vertex AI, the principals (for example, users, groups, and service accounts) in your project need to be granted the appropriate IAM role. You can also create custom roles to grant a user-defined set of permissions to a principal. This page shows you the applicable IAM roles to grant and the specific permissions needed for each operation so you can create custom roles.

Predefined roles

You can grant the users or groups in your project one of the following predefined roles to give them access to the generative AI features on Vertex AI:

To learn more about Vertex AI IAM roles, see Vertex AI access control with IAM.


The following table maps generative AI operations to the permissions required for the operation. If you need fine-grained access control, you can refer to these mappings to create custom roles.

Operation Permissions needed
Make prompt requests
  • aiplatform.endpoints.predict
Save, view, update, and delete prompts in Vertex AI Studio
  • aiplatform.datasets.create
  • aiplatform.datasets.update
  • aiplatform.datasets.delete
  • aiplatform.datasets.list
  • aiplatform.datasets.get
Model tuning
  • aiplatform.pipelineJobs.*
  • aiplatform.customJobs.*
  • aiplatform.datasets.export
  • aiplatform.datasets.get
  • aiplatform.models.upload
  • aiplatform.models.get
  • aiplatform.endpoints.create
  • aiplatform.endpoints.get
  • aiplatform.endpoints.deploy
  • aiplatform.metadataStores.get
  • storage.objects.create
  • storage.objects.update
  • storage.objects.get
  • storage.objects.list

To learn more about Vertex AI IAM permissions, see IAM permissions.

What's next