You can set Identity and Access Management (IAM) policies to control access to the following Vertex AI Feature Store resources:
-
Feature groups
-
Online store instances
-
Feature views
An IAM policy is a collection of bindings, which associates one or more members, or principals, to an IAM role. You can include the following types of members in an IAM policy binding:
-
Individual user accounts
-
Google groups
-
Domains
-
Service accounts
Before you begin
Authenticate to Vertex AI, unless you've done so already.
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
gcloud init
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Set an IAM policy for a feature group
Use the following sample to set an IAM policy for an existing feature group.
REST
To assign an IAM policy to a FeatureGroup
resource, send a POST
request by using the featureGroups.setIamPolicy
method.
Before using any of the request data, make the following replacements:
- LOCATION_ID
: Region where the online store instance is located, such as
us-central1. - PROJECT_ID : Your project ID.
- FEATUREGROUP_NAME : The name of the online store instance for which you want to set the IAM policy.
- IAM_ROLE_NAME : The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM .
- USER_EMAIL : Optional. The email address of the user account to whom the role is assigned.
- GROUP_EMAIL : Optional. The email address of the Google group to which the role is assigned.
- DOMAIN_NAME : Optional. The domain name to which the role is assigned.
- SERVICE_ACCOUNT_EMAIL : Optional. The email address of the service account to which the role is assigned..
HTTP method and URL:
POST https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureGroups/ FEATUREGROUP_NAME :setIamPolicy
Request JSON body:
{ "policy": { "bindings": [ { "role": " IAM_ROLE_NAME ", "members": [ "user: USER_EMAIL ", "group: GROUP_EMAIL ", "domain: DOMAIN_NAME ", "serviceAccount: SERVICE_ACCOUNT_EMAIL " ] } ] } }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureGroups/ FEATUREGROUP_NAME :setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureGroups/ FEATUREGROUP_NAME :setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "bindings": [ { "role": " IAM_ROLE_NAME ", "members": [ "user: USER_EMAIL ", "group: GROUP_EMAIL ", "domain: DOMAIN_NAME ", "serviceAccount: SERVICE_ACCOUNT_EMAIL " ] } ], "etag": "etag" }
Set an IAM policy for an online store
Use the following sample to set an IAM policy for an existing online store instance.
REST
To assign an IAM policy to a FeatureOnlineStore
resource, send a POST
request by using the featureOnlineStores.setIamPolicy
method.
Before using any of the request data, make the following replacements:
- LOCATION_ID
: Region where the online store instance is located, such as
us-central1. - PROJECT_ID : Your project ID.
- FEATUREONLINESTORE_NAME : The name of the online store instance for which you want to set the IAM policy.
- IAM_ROLE_NAME : The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM .
- USER_EMAIL : Optional. The email address of the user account to whom the role is assigned.
- GROUP_EMAIL : Optional. The email address of the Google group to which the role is assigned.
- DOMAIN_NAME : Optional. The domain name to which the role is assigned.
- SERVICE_ACCOUNT_EMAIL : Optional.The email address of the service account to which the role is assigned..
HTTP method and URL:
POST https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureOnlineStores/ FEATUREONLINESTORE_NAME :setIamPolicy
Request JSON body:
{ "policy": { "bindings": [ { "role": " IAM_ROLE_NAME ", "members": [ "user: USER_EMAIL ", "group: GROUP_EMAIL ", "domain: DOMAIN_NAME ", "serviceAccount: SERVICE_ACCOUNT_EMAIL " ] } ] } }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureOnlineStores/ FEATUREONLINESTORE_NAME :setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureOnlineStores/ FEATUREONLINESTORE_NAME :setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "bindings": [ { "role": " IAM_ROLE_NAME ", "members": [ "user: USER_EMAIL ", "group: GROUP_EMAIL ", "domain: DOMAIN_NAME ", "serviceAccount: SERVICE_ACCOUNT_EMAIL " ] } ], "etag": "etag" }
Set an IAM policy for a feature view
Use the following sample to set an IAM policy for an existing feature view.
REST
To assign an IAM policy to a FeatureView
resource, send a POST
request by using the featureViews.setIamPolicy
method.
Before using any of the request data, make the following replacements:
- LOCATION_ID
: Region where the feature view is located, such as
us-central1. - PROJECT_ID : Your project ID.
- FEATUREONLINESTORE_NAME : The name of the online store instance containing the feature view.
- FEATUREVIEW_NAME : The name of the feature view for which you want to set the IAM policy.
- IAM_ROLE_NAME : The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM .
- USER_EMAIL : Optional. The email address of the user account to whom the role is assigned.
- GROUP_EMAIL : Optional. The email address of the Google group to which the role is assigned.
- DOMAIN_NAME : Optional. The domain name to which the role is assigned.
- SERVICE_ACCOUNT_EMAIL : Optional.The email address of the service account to which the role is assigned..
HTTP method and URL:
POST https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureOnlineStores/ FEATUREONLINESTORE_NAME /featureViews/ FEATUREVIEW_NAME :setIamPolicy
Request JSON body:
{ "policy": { "bindings": [ { "role": " IAM_ROLE_NAME ", "members": [ "user: USER_EMAIL ", "group: GROUP_EMAIL ", "domain: DOMAIN_NAME ", "serviceAccount: SERVICE_ACCOUNT_EMAIL " ] } ] } }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureOnlineStores/ FEATUREONLINESTORE_NAME /featureViews/ FEATUREVIEW_NAME :setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https:// LOCATION_ID -aiplatform.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION_ID /featureOnlineStores/ FEATUREONLINESTORE_NAME /featureViews/ FEATUREVIEW_NAME :setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "bindings": [ { "role": " IAM_ROLE_NAME ", "members": [ "user: USER_EMAIL ", "group: GROUP_EMAIL ", "domain: DOMAIN_NAME ", "serviceAccount: SERVICE_ACCOUNT_EMAIL " ] } ], "etag": "etag" }
What's next
-
Learn how to list all features in a feature group .
-
Learn how to update a feature .
-
Learn how to delete a feature .
-
Learn how to update a feature group .
-
Online serving types in Vertex AI Feature Store.
