You are collaborating on a model prototype with your team. You need to create a Vertex AI Workbench environment for the members of your team and also limit access to other employees in your project. What should you do?
A.
1. Create a new service account and grant it the Notebook Viewer role 2. Grant the Service Account User role to each team member on the service account 3. Grant the Vertex AI User role to each team member 4. Provision a Vertex AI Workbench user-managed notebook instance that uses the new service account
B.
1. Grant the Vertex AI User role to the default Compute Engine service account 2. Grant the Service Account User role to each team member on the default Compute Engine service account 3. Provision a Vertex AI Workbench user-managed notebook instance that uses the default Compute Engine service account.
C.
1. Create a new service account and grant it the Vertex AI User role 2. Grant the Service Account User role to each team member on the service account 3. Grant the Notebook Viewer role to each team member. 4. Provision a Vertex AI Workbench user-managed notebook instance that uses the new service account
D.
1. Grant the Vertex AI User role to the primary team member 2. Grant the Notebook Viewer role to the other team members 3. Provision a Vertex AI Workbench user-managed notebook instance that uses the primary user’s account
1. Create a new service account and grant it the Vertex AI User role: This dedicated service account will control access to the Vertex AI Workbench environment.
2. Grant the Service Account User role to each team member on the service account: This grants your team members the ability to use the service account to access the Workbench environment.
3. Grant the Notebook Viewer role to each team member: While they can't modify notebooks, this role allows team members to view and run existing notebooks within the Workbench environment.
4. Provision a Vertex AI Workbench user-managed notebook instance that uses the new service account: By associating the instance with the service account, you ensure only authorized team members (through the service account) can access the environment.
A. Notebook Viewer with Service Account User: Granting the Notebook User role on the service account would allow team members to modify notebooks, potentially exceeding your intended access limitations.
B. Default Service Account: Granting access on the default Compute Engine service account is not recommended for security reasons. It's a shared resource and could grant unintended access.
D. Primary User Access: Granting access through a single user account creates a security risk and is not scalable for managing team member permissions.
My Answer: C
This approach ensures that each team member has access to the necessary resources while limiting access to other employees not involved in the project. In A, the Notebook Viewer role is just to see, which is not sufficient for accessing Vertex AI resources. In B, This option grants permissions to the default Compute Engine service account, which may not be ideal for managing access to Vertex AI resources specifically. In D, This approach does not provide uniform access control for all team members and may lead to inconsistencies in resource management.
A and C really sound like the same. Only going for A because I understand it gives the lowest level of permission role when creating the project (that is, all members in the Compute Engine Project); and subsequently, grants User role ONLY to the team members. https://cloud.google.com/iam/docs/overview#resource
Creating a new service account with the Notebook Viewer role would not provide sufficient permissions for managing the Vertex AI Workbench environment, right?
Dedicated Service Account: Creating a separate service account ensures isolation and control over access to Vertex AI resources.
Vertex AI User Role: Granting this role to the service account provides it with necessary permissions to interact with Vertex AI services.
Service Account User Role: Assigning this role to team members allows them to impersonate the service account, enabling them to use its permissions.
Notebook Viewer Role: This role grants team members access to the notebook instance, but not direct Vertex AI resource management.
User-Managed Notebook Instance: This type of instance uses a specific service account, ensuring access control is aligned with the designated service account's permissions.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
fitri001
6 months, 1 week agofitri001
6 months, 1 week agoguilhermebutzke
8 months, 1 week agomindriddler
8 months, 3 weeks agoguilhermebutzke
8 months, 1 week agob1a8fae
9 months, 1 week agotavva_prudhvi
8 months, 2 weeks agopikachu007
9 months, 2 weeks ago