This document includes the best practices and guidelines for Gemini Enterprise Agent Platform when running workloads on Google Cloud.
Define the access mode for Agent Platform Workbench notebooks and instances
This list constraint defines the permitted access modes for Agent Platform Workbench notebooks and instances. The allow or deny list can specify multiple users using service-account
mode or single-user access using single-user
mode.
- Gemini Enterprise Agent Platform Workbench
- Organization Policy Service
constraints/ainotebooks.accessMode
Is
-
service-account -
single-user
- AC-3
- AC-17
- AC-20
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
Disable file downloads on Agent Platform Workbench instances
The ainotebooks.disableFileDownloads
boolean constraint prevents you from creating Gemini Enterprise Agent Platform Workbench instances with the file download option enabled. By default, you can enable the file download option on any Agent Platform Workbench instance.
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.disableFileDownloads
Is
-
True
- AC-3
- AC-17
- AC-20
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
Disable root access on Agent Platform Workbench user-managed notebooks and instances
The ainotebooks.disableRootAccess
boolean constraint prevents you from creating Gemini Enterprise Agent Platform Workbench user-managed notebooks and instances with root access enabled. By default, Agent Platform Workbench user-managed notebooks and instances can have root access enabled.
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.disableRootAccess
Is
-
True
- AC-3
- AC-17
- AC-20
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
Disable terminal on Agent Platform Workbench instances
The ainotebooks.disableTerminal
boolean constraint prevents you from creating Gemini Enterprise Agent Platform Workbench instances with the terminal enabled. By default, you can enable the terminal on Agent Platform Workbench instances.
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.disableTerminal
Is
-
True
- AC-3
- AC-17
- AC-20
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
Restrict environment options on Agent Platform Workbench notebooks and instances
The ainotebooks.environmentOptions
list constraint defines the VM and container image options that you can select when creating Gemini Enterprise Agent Platform Workbench notebooks and instances. You must explicitly specify the options that you want to allow or deny.
The expected format for VM instances is: ainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE
. Replace IMAGE_TYPE
with image-family
or image-name
For example:
ainotebooks-vm/deeplearning-platform-release/image-family/pytorch-1-4-cpu ainotebooks-vm/deeplearning-platform-release/image-name/pytorch-latest-cpu-20200615
The expected format for container images is: ainotebooks-container/CONTAINER_REPOSITORY:TAG
For example:
ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:latest ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:m48
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.environmentOptions
Is
- AC-3
- AC-17
- AC-20
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
Enforce automatic scheduled upgrades on Agent Platform Workbench user-managed notebooks and instances
The ainotebooks.requireAutoUpgradeSchedule
boolean constraint prevents you from creating Gemini Enterprise Agent Platform Workbench user-managed notebooks and instances without an automatic upgrade schedule.
To define a cron schedule for the automatic upgrades, use the notebook-upgrade-schedule
metadata flag. For example:
-- metadata=notebook-upgrade-schedule="00 19 * * MON"
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.requireAutoUpgradeSchedule
Is
-
True
- MA-2
- MA-3
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.PT-3.1
- PR.PT-4.1
Restrict public access on new Agent Platform Workbench notebooks and instances
This boolean constraint restricts access from public IP addresses to Gemini Enterprise Agent Platform Workbench notebooks and instances. By default, public IP addresses can access Agent Platform Workbench notebooks and instances.
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.restrictPublicIp
is
-
True
- AC-3
- AC-17
- AC-20
- SC-7
- SC-8
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-6.1
- PR.DS-2.1
- PR.DS-2.2
- PR.DS-5.1
- PR.PT-3.1
- PR.PT-4.1
- DE.CM-1.1
- DE.CM-1.2
- DE.CM-1.3
- DE.CM-1.4
Restrict VPC networks on Agent Platform Workbench instances
The ainotebooks.restrictVpcNetworks
list constraint defines the VPC networks that a user can select when creating Gemini Enterprise Agent Platform Workbench instances. By default, a Agent Platform Workbench instance can be created in any VPC network.
Use one of the following formats to define an allowed or denied list of networks:
-
under:organizations/ORGANIZATION_ID -
under:folders/FOLDER_ID -
under:projects/PROJECT_ID -
projects/PROJECT_ID/global/networks/NETWORK_NAME
- Organization Policy Service
- Agent Platform Workbench
constraints/ainotebooks.restrictVpcNetworks
is
- AC-3
- AC-17
- AC-20
- SC-7
- SC-8
- PR.AC-3.1
- PR.AC-3.2
- PR.AC-4.1
- PR.AC-4.2
- PR.AC-4.3
- PR.AC-5.1
- PR.AC-5.2
- PR.AC-6.1
- PR.DS-2.1
- PR.DS-2.2
- PR.DS-5.1
- PR.PT-3.1
- PR.PT-4.1
- DE.CM-1.1
- DE.CM-1.2
- DE.CM-1.3
- DE.CM-1.4
What's next
-
Review agent and application controls .
-
See more Google Cloud security best practices and guidelines .
