GCP Configurations
Permission Levels for GCP
When setting up permissions for users in GCP for NextAI, administrators have three options:
- Default Level: This level requires no additional setup. Users are granted Owner-level permissions by default, which means they have broad access.
- Mid Level: This is the easiest way to grant permissions without providing Owner-level access. To do this, add the following roles to user principals:
→ Go IAM on admin console and click on grant access
→ Add new principle it can be user, group and service account
→ In assign roles section add the below roles and click save.
roles/browser
: Allows browsing resources.roles/compute.admin
: Grants administrative access to Compute Engine resources.roles/iam.serviceAccountAdmin
: Provides permissions to manage service accounts.roles/iam.serviceAccountUser
: Allows the use of service accounts.roles/serviceusage.serviceUsageConsumer
: Permits the consumption of service usage data.roles/storage.admin
: Offers administrative control over storage resources.roles/iam.serviceAccountTokenCreator
: allows creation of token for authroles/iam.securityAdmin
: If undesirable, you can initially include it to create necessary service accounts and then replace it withroles/iam.roleViewer
.
Optional for TPUs (Tensor Processing Units):
roles/tpu.admin
: Grants access to TPUs.
jsx
Use the new created user/principal for models deployments on nextAI following the setup instructions.
Advanced (more granular access)
How to Create Role?
- Go to GCP’s IAM & Admin console and click on Create Role.
- Give the role a descriptive name, such as
nextai-role
.
- Click Add Permissions and search for the following permissions and add them to the role
jsx
- Optional: If the user needs to access GCS buckets, you can additionally add the following permissions:
jsx
- Optional: To enable
--clone-disk-from
, you need to have the following permissions for the role as well:
jsx
- Optional: To enable opening ports on GCP cluster, you need to have the following permissions for the role as well:
jsx
- Optional: If the user needs to use custom machine images with, you can additionally add the following permissions:
jsx
- Click Create to create the role.
- Go back to the “IAM” tab and click on GRANT ACCESS.
- Fill in the email address of the user in the “Add principals” section, and select
nextai-role
in the “Assign roles” section. Click Save - The user should receive an invitation to the project and should be able to setup service account in nextai cloud by following the instructions in below
CREATE SERVICE ACCOUNT
- Click the “Service Accounts” tab in the IAM & Admin console, and click on Create Service Account
- Add any preferred service account name and set service account id to nextai-role and click create and continue.
- Select the
nextai-role
(or the name you set) created in the last section and click on DONE. You can also Medium Permissions roles as described in the previous sections.
The user should be able to setup nextai deployment by following the setup instructions.