Hi @Mouzma,
Welcome to Google Cloud Community!
In Vertex AI Workbench (or any environment using JupyterLab with specific IAM access controls), whether a user needs the iam.serviceAccounts.actAs permission on the instance's service account depends on the user's role and how they need to access the environment. Here's a breakdown to clarify:
Single User Only Access Mode:
- Creator of the Instance: If the user who is accessing the JupyterLab interface is also the creator of the Vertex AI Workbench instance, they do not need the iam.serviceAccounts.actAs permission on the instance's service account. This is because the instance is already associated with their user account, and they have inherent access.
- Non-Creator: If the user accessing the JupyterLab interface is not the creator of the instance, they do need the iam.serviceAccounts.actAs permission on the instance's service account. This is because the instance is tied to a specific service account, and the user needs to be granted permission to act as that service account.
Service Account Access Mode:
- Any User: In the Service Account access mode, any user who wants to access the JupyterLab interface must have the iam.serviceAccounts.actAs permission on the specified service account. This is because the instance is directly tied to the service account, and users need to be authorized to act as that service account to gain access.
In addition, here are some helpful resources:
- Manage access to an instance's JupyterLab interface: Overview of managing user access in single-user and multi-user modes.
- IAM Roles and Permissions for Vertex AI Workbench: Details on required IAM roles and permissions, including access to service accounts.
- Service Accounts Overview: Information on service accounts and the iam.serviceAccounts.actAs permission.
- IAM Documentation: General information on managing IAM roles, permissions, and policies.
I hope the above information is helpful.
LinkedIn
Twitter
