Control access to Vertex AI endpoints

This page discusses how to control access to a Vertex AI endpointby setting an IAM policy on it. It assumes that you'realready familiar with IAM concepts such as policies, roles,permissions, and principals as described inVertex AI access control with IAM andConcepts related to access management.

An IAMpolicy includes one or more role bindings thatdefine which IAM roles are associated with which principals. Arole is a collection of permissions that you grant to aprincipal.Vertex AI providespredefined roles that you can usein your policies. Or you can create your own custom roles.

Get an IAM policy

You can view the current IAM policy on a Vertex AIendpoint by using the REST API. To do so, you must haveendpoints.getIamPolicy permission on the endpoint or the project.The Vertex AI Administrator role (roles/aiplatform.admin)grants this permission.

REST

To get the IAM policy from a resource, send aPOST request thatuses thegetIamPolicy method.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: The region where the endpoint is located, for example,us-central1.
  • PROJECT_ID: Your Google Cloud project ID.
  • ENDPOINT_ID: The ID for the endpoint.

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:getIamPolicy

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:getIamPolicy"

PowerShell

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:getIamPolicy" | Select-Object -Expand Content

You should receive a JSON response with the current IAM policy:

{  "version": 1,  "etag": "BwXTmICm7mI",  "bindings": [    {      "role": "roles/aiplatform.user",      "members": [        "user:example@example.com"      ]    }  ]}

Set an IAM policy

You can set an IAM policy on an endpoint by using the REST API.To do so, you must haveendpoints.setIamPolicy permission on the endpointor the project.The Vertex AI Administrator role (roles/aiplatform.admin)grants this permission.

REST

To set the IAM policy on a resource, send aPOST request thatuses thesetIamPolicy method.

Setting an IAM policy overrides any existing policy; changes arenot appended. To modify a resource's existing policy, use thegetIamPolicy method to get its existing policy and then makemodifications. Include your modified policy along with theetag inyoursetIamPolicy request.

If you receive a409 error code, this means that a concurrentsetIamPolicy request already updated the policy.Use thegetIamPolicy methodto get the policy's updatedetag,and then retry thesetIamPolicy request with the newetag.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: The region where the endpoint is located, for example,us-central1.
  • PROJECT_ID: Your Google Cloud project ID.
  • ENDPOINT_ID: The ID for the endpoint.
  • ROLE: An IAM role that includes the permissions to grant, such asroles/aiplatform.user.
  • PRINCIPAL: The principal that is granted the role's permissions, such asuser:myuser@example.com.
  • ETAG: A string value that is used to prevent simultaneous updates of a policy from overwriting each other. This value is returned as part of thegetIamPolicy response.

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:setIamPolicy

Request JSON body:

{  "policy": {    "bindings": [      {        "role": "ROLE",        "members": [          "PRINCIPAL"        ]      },      ...    ],    "etag": "ETAG"  }}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:setIamPolicy"

PowerShell

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response with the current IAM policy:

{  "version": 1,  "etag": "BwXTmICm7mI",  "bindings": [    {      "role": "roles/aiplatform.user",      "members": [        "user:example@example.com"      ]    }  ]}

Verify a user's IAM permissions for an endpoint

You can verify whether the currently authenticated user has specificIAM permissions for an endpoint.

REST

To verify whether a user has specific IAM permissions for aresource, send aPOST request that uses thetestIamPermissions method.The following example lets you test whether the currently authenticated userhas a set of IAM permissions for an endpoint.

Before using any of the request data, make the following replacements:

  • LOCATION_ID: The region where the endpoint is located, for example,us-central1.
  • PROJECT_ID: Your Google Cloud project ID.
  • ENDPOINT_ID: The ID for the endpoint.

HTTP method and URL:

POST https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:testIamPermissions

Request JSON body:

{  "permissions": [    "aiplatform.googleapis.com/aiplatform.endpoints.get",    "aiplatform.googleapis.com/aiplatform.endpoints.predict"  ]}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:testIamPermissions"

PowerShell

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://LOCATION_ID-aiplatform.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION_ID/endpoints/ENDPOINT_ID:testIamPermissions" | Select-Object -Expand Content
You should receive a JSON response similar to the following.The response includes only those permissions from the request JSON body that are available tothe currently authenticated user.
{  "permissions": [    "aiplatform.googleapis.com/aiplatform.endpoints.get",    "aiplatform.googleapis.com/aiplatform.endpoints.predict"  ]}

What's next

To learn more about how to set up projects with more secure access control ofendpoints, seeSet up a project for a team.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.