Permission Levels for GCP

When setting up permissions for users in GCP for NextAI, administrators have three options:

  1. Default Level: This level requires no additional setup. Users are granted Owner-level permissions by default, which means they have broad access.
  2. Mid Level: This is the easiest way to grant permissions without providing Owner-level access. To do this, add the following roles to user principals:

→ Go IAM on admin console and click on grant access

→ Add new principle it can be user, group and service account

→ In assign roles section add the below roles and click save.

  • roles/browser: Allows browsing resources.
  • roles/compute.admin: Grants administrative access to Compute Engine resources.
  • roles/iam.serviceAccountAdmin: Provides permissions to manage service accounts.
  • roles/iam.serviceAccountUser: Allows the use of service accounts.
  • roles/serviceusage.serviceUsageConsumer: Permits the consumption of service usage data.
  • roles/storage.admin: Offers administrative control over storage resources.
  • roles/iam.serviceAccountTokenCreator : allows creation of token for auth
  • roles/iam.securityAdmin: If undesirable, you can initially include it to create necessary service accounts and then replace it with roles/iam.roleViewer.

Optional for TPUs (Tensor Processing Units):

  • roles/tpu.admin: Grants access to TPUs.
jsx
roles/browser
roles/compute.admin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountUser
roles/iam.serviceAccountTokenCreator
roles/serviceusage.serviceUsageConsumer
roles/storage.admin
roles/iam.securityAdmin

Use the new created user/principal for models deployments on nextAI following the setup instructions.

Advanced (more granular access)

How to Create Role?

  1. Go to GCP’s IAM & Admin console and click on Create Role.
  1. Give the role a descriptive name, such as nextai-role.
  1. Click Add Permissions and search for the following permissions and add them to the role
jsx
compute.disks.create
compute.disks.list
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.start
compute.instances.stop
compute.networks.get
compute.networks.list
compute.networks.getEffectiveFirewalls
compute.globalOperations.get
compute.reservations.list
compute.subnetworks.use
compute.subnetworks.list
compute.subnetworks.useExternalIp
compute.projects.get
compute.zoneOperations.get
iam.roles.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
serviceusage.services.enable
serviceusage.services.list
serviceusage.services.use
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
roles/iam.serviceAccountTokenCreator
  1. Optional: If the user needs to access GCS buckets, you can additionally add the following permissions:
jsx
storage.buckets.create
storage.buckets.get
storage.buckets.delete
storage.objects.create
storage.objects.update
storage.objects.delete
storage.objects.get
storage.objects.list
  1. Optional: To enable --clone-disk-from, you need to have the following permissions for the role as well:
jsx
compute.disks.useReadOnly
compute.images.create
compute.images.get
compute.images.delete
  1. Optional: To enable opening ports on GCP cluster, you need to have the following permissions for the role as well:
jsx
compute.instances.setTags
compute.firewalls.list
compute.firewalls.update
  1. Optional: If the user needs to use custom machine images with, you can additionally add the following permissions:
jsx
compute.disks.get
compute.disks.resize
compute.images.get
compute.images.useReadOnly
  1. Click Create to create the role.
  2. Go back to the “IAM” tab and click on GRANT ACCESS.
  3. Fill in the email address of the user in the “Add principals” section, and select nextai-role in the “Assign roles” section. Click Save
  4. The user should receive an invitation to the project and should be able to setup service account in nextai cloud by following the instructions in below

CREATE SERVICE ACCOUNT

  1. Click the “Service Accounts” tab in the IAM & Admin console, and click on Create Service Account
  1. Add any preferred service account name and set service account id to nextai-role and click create and continue.
  1. Select the nextai-role (or the name you set) created in the last section and click on DONE. You can also Medium Permissions roles as described in the previous sections.

The user should be able to setup nextai deployment by following the setup instructions.