Manage access to a runtime template
This page describes how you can grant and revoke access to a runtime template in Colab Enterprise.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Vertex AI, Dataform, and Compute Engine APIs.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Vertex AI, Dataform, and Compute Engine APIs.
Required roles
To get the permissions that
you need to manage access to a runtime template,
ask your administrator to grant you the
Colab Enterprise Admin ( roles/aiplatform.colabEnterpriseAdmin
)
IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
You might also be able to get the required permissions through custom roles or other predefined roles .
Grant access to a runtime template
To grant a principal access to a runtime template, you can use the Google Cloud console, the Google Cloud CLI, or Terraform.
Console
-
In the Google Cloud console, go to the Colab Enterprise Runtime templatespage.
-
In the Regionmenu, select the region that contains your runtime template.
-
In the Runtime templatemenu, select a runtime template. If there aren't any runtime templates listed, create a runtime template .
-
Click Permissions.
-
In the Permissionswindow, click Add principal.
-
In the Grant accessdialog, in the New principalsfield, enter one or a comma separated list of principals.
-
In the Select a rolemenu, complete the dialog to assign a role.
-
Optional: Click Add another role, and repeat the last step.
-
Click Save.
Permissions
Add
principalgcloud
Before using any of the command data below, make the following replacements:
-
RUNTIME_TEMPLATE_ID: the ID of your runtime template. -
PRINCIPAL: the principal to add the binding for. -
ROLE: the role name to assign to the principal. -
PROJECT_ID: your project ID. -
REGION: the region where your runtime template is located.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud colab runtime-templates add-iam-policy-binding RUNTIME_TEMPLATE_ID \ --member = PRINCIPAL \ --role = ROLE \ --project = PROJECT_ID \ --region = REGION
Windows (PowerShell)
gcloud colab runtime-templates add-iam-policy-binding RUNTIME_TEMPLATE_ID ` --member = PRINCIPAL ` --role = ROLE ` --project = PROJECT_ID ` --region = REGION
Windows (cmd.exe)
gcloud colab runtime-templates add-iam-policy-binding RUNTIME_TEMPLATE_ID ^ --member = PRINCIPAL ^ --role = ROLE ^ --project = PROJECT_ID ^ --region = REGION
For more information about managing IAM policies for runtime templates from the command line, see the gcloud CLI documentation .
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands . For more information, see the Terraform provider reference documentation .
The following sample uses the google_colab_runtime_template_iam_policy
Terraform resource to grant access to a Colab Enterprise
runtime template.
data "google_iam_policy" "admin" { binding { role = "roles/viewer" members = [ "user:jane@example.com" , ] } } resource "google_colab_runtime_template_iam_policy" "policy" { project = google_colab_runtime_template.runtime-template.project location = google_colab_runtime_template.runtime-template.location runtime_template = google_colab_runtime_template.runtime-template.name policy_data = data.google_iam_policy.admin.policy_data }
Colab Enterprise principals are users, groups, or domains
You can grant access to users, groups, or domains. See the following table:
| Principal | Example user account |
|---|---|
| Single user | user@gmail.com
|
| Google group | admins@googlegroups.com
|
| Google Workspace domain | example.com
|
Revoke access to a runtime template
To revoke access to a runtime template, you can use the Google Cloud console or the gcloud CLI.
Console
-
In the Google Cloud console, go to the IAMpage.
-
Select a project, folder, or organization.
-
Find the row containing the principal whose access you want to revoke. Then, click Edit principalin that row.
-
Click the Delete button for the role that you want to revoke, and then click Save.
gcloud
Before using any of the command data below, make the following replacements:
-
RUNTIME_TEMPLATE_ID: the ID of your runtime template. -
PRINCIPAL: the principal whose access you want to revoke. -
ROLE: the role to remove from the principal. -
PROJECT_ID: your project ID. -
REGION: the region where your runtime template is located.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud colab runtime-templates remove-iam-policy-binding RUNTIME_TEMPLATE_ID \ --member = PRINCIPAL \ --role = ROLE \ --project = PROJECT_ID \ --region = REGION
Windows (PowerShell)
gcloud colab runtime-templates remove-iam-policy-binding RUNTIME_TEMPLATE_ID ` --member = PRINCIPAL ` --role = ROLE ` --project = PROJECT_ID ` --region = REGION
Windows (cmd.exe)
gcloud colab runtime-templates remove-iam-policy-binding RUNTIME_TEMPLATE_ID ^ --member = PRINCIPAL ^ --role = ROLE ^ --project = PROJECT_ID ^ --region = REGION
For more information about managing IAM policies for runtime templates from the command line, see the gcloud CLI documentation .
What's next
- To learn how to grant access to a notebook, see Manage access to a notebook .
