You can grant and restrict access to Vertex AI Workbench for an organization or a project. To do so, you define an organization policy using the GDCHRestrictedService policy type, which lets you restrict which service you can use on Google Distributed Cloud (GDC) air-gapped. When applied, the policy prevents the use of the APIs that it references.
For example, you can use this policy type to restrict the use of Vertex AI Workbench to specific projects. Only non-restricted organizations or projects can create or update JupyterLab notebooks. You can also use the policy to completely restrict access to the Vertex AI Workbench service because you want to run tests before allowing your teams to use it.
This page describes how to grant and restrict access to Vertex AI Workbench using the GDCHRestrictedService policy type. To learn more about organization policies and how to edit the GDCHRestrictedService organization policy, see Configure organization policies.
Before you begin
To get the permissions you need to grant or restrict access to Vertex AI Workbench for an organization or a project, ask your Organization IAM Admin to grant you the GDC Restricted Service Policy Admin (gdchrestrictedservice-policy-admin) cluster role in your project namespace.
For more information about this role, see Prepare IAM permissions.
Restrict access to Vertex AI Workbench for your organization
To restrict access to Vertex AI Workbench for your organization, edit the GDCHRestrictedService policy type by adding the aiplatform.gdc.goog API group and the Notebook kind to the kinds field of the policy.
The following example shows how the kinds field looks in the GDCHRestrictedService policy type when you restrict access to Vertex AI Workbench for your entire organization:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GDCHRestrictedService metadata: name: restrict-notebook-for-organization spec: match: scope: "Namespaced" kinds: - apiGroups: - "aiplatform.gdc.goog" kinds: - Notebook [...] To restore an organization's access to Vertex AI Workbench, see Grant access to Vertex AI Workbench for your organization.
Restrict access to Vertex AI Workbench for a project
To restrict access to Vertex AI Workbench for a project, edit the GDCHRestrictedService policy type by adding the aiplatform.gdc.goog API group and the Notebook kind to the kinds field of the policy for the project namespace.
The difference with restricting access for an organization is that you must specify the namespace that the policy should impact. Add the namespaces field to the policy with your project namespace.
The following example shows how the kinds field looks in the GDCHRestrictedService policy type when you restrict access to Vertex AI Workbench for a project:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GDCHRestrictedService metadata: name: restrict-notebook-for-organization spec: match: scope: "Namespaced" namespaces: [PROJECT_NAMESPACE] kinds: - apiGroups: - "aiplatform.gdc.goog" kinds: - Notebook [...] Replace PROJECT_NAMESPACE with the namespace of the project where you want to restrict access to Vertex AI Workbench.
Grant access to Vertex AI Workbench for your organization
By default, Distributed Cloud organizations have access to Vertex AI Workbench. However, if you restricted access to Vertex AI Workbench for your organization, you can grant access again.
Follow these steps to grant access to Vertex AI Workbench for all the projects in your organization:
Identify the
GDCHRestrictedServicepolicy type in your organization.Find the
aiplatform.gdc.googAPI group and theNotebookkind in the policy.If the
aiplatform.gdc.googAPI group and theNotebookkind are the only content in thekindsfield of the policy, delete theGDCHRestrictedServiceresource.If the
GDCHRestrictedServicepolicy contains other restricted services, remove theaiplatform.gdc.googAPI group and theNotebookkind from thekindsfield and save the changes to the policy.