You can control access to online store instances and feature views by setting Identity and Access Management (IAM) policies for those resources. An IAM policy is a collection of bindings, which associates one or more members, or principals, to an IAM role. You can include the following types of members in an IAM policy binding:
Individual user accounts
Google groups
Domains
Service accounts
Before you begin
Authenticate to Vertex AI, unless you've done so already.
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Set an IAM policy for an online store
Use the following sample to set an IAM policy for an existing online store instance.
REST
To assign an IAM policy to a
FeatureOnlineStore
resource, send a POST
request by using the
featureOnlineStores.setIamPolicy
method.
Before using any of the request data, make the following replacements:
- LOCATION_ID: Region where the online store instance is located, such as
us-central1
. - PROJECT_ID: Your project ID.
- FEATUREONLINESTORE_NAME: The name of the online store instance for which you want to set the IAM policy.
- IAM_ROLE_NAME: The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM.
- USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
- GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
- DOMAIN_NAME: Optional. The domain name to which the role is assigned.
- SERVICE_ACCOUNT_EMAIL: Optional.The email address of the service account to which the role is assigned..
HTTP method and URL:
POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy
Request JSON body:
{ "policy": { "bindings": [ { "role": "IAM_ROLE_NAME", "members": [ "user:USER_EMAIL", "group:GROUP_EMAIL", "domain:DOMAIN_NAME", "serviceAccount:SERVICE_ACCOUNT_EMAIL" ] } ] } }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME:setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "bindings": [ { "role": "IAM_ROLE_NAME", "members": [ "user:USER_EMAIL", "group:GROUP_EMAIL", "domain:DOMAIN_NAME", "serviceAccount:SERVICE_ACCOUNT_EMAIL" ] } ], "etag": "etag" }
Set an IAM policy for a feature view
Use the following sample to set an IAM policy for an existing feature view.
REST
To assign an IAM policy to a
FeatureView
resource, send a POST
request by using the
featureViews.setIamPolicy
method.
Before using any of the request data, make the following replacements:
- LOCATION_ID: Region where the feature view is located, such as
us-central1
. - PROJECT_ID: Your project ID.
- FEATUREONLINESTORE_NAME: The name of the online store instance containing the feature view.
- FEATUREVIEW_NAME: The name of the feature view for which you want to set the IAM policy.
- IAM_ROLE_NAME: The name of the IAM role to assign to the members. For a complete list of IAM roles for Vertex AI, see Access control with IAM.
- USER_EMAIL: Optional. The email address of the user account to whom the role is assigned.
- GROUP_EMAIL: Optional. The email address of the Google group to which the role is assigned.
- DOMAIN_NAME: Optional. The domain name to which the role is assigned.
- SERVICE_ACCOUNT_EMAIL: Optional.The email address of the service account to which the role is assigned..
HTTP method and URL:
POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy
Request JSON body:
{ "policy": { "bindings": [ { "role": "IAM_ROLE_NAME", "members": [ "user:USER_EMAIL", "group:GROUP_EMAIL", "domain:DOMAIN_NAME", "serviceAccount:SERVICE_ACCOUNT_EMAIL" ] } ] } }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/featureOnlineStores/FEATUREONLINESTORE_NAME/featureViews/FEATUREVIEW_NAME:setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "bindings": [ { "role": "IAM_ROLE_NAME", "members": [ "user:USER_EMAIL", "group:GROUP_EMAIL", "domain:DOMAIN_NAME", "serviceAccount:SERVICE_ACCOUNT_EMAIL" ] } ], "etag": "etag" }
What's next
Learn how to list all features in a feature group.
Learn how to update a feature.
Learn how to delete a feature.
Learn how to update a feature group.
Online serving types in Vertex AI Feature Store.